Table of Contents
Advertisement
Complete Software Guide for Junos
Protection Against ARP Spoofing Attacks
Protection Against DHCP Snooping Database Alteration Attacks
Protection Against DHCP Starvation Attacks
2828
®
OS for EX Series Ethernet Switches, Release 10.3
In ARP spoofing, an attacker sends faked ARP messages on the network. The attacker
associates its own MAC address with the IP address of a network device connected to
the switch. Any traffic sent to that IP address is instead sent to the attacker. Now the
attacker can create various types of mischief, including sniffing the packets that were
meant for another host and perpetrating man-in-the middle attacks. (In a
man-in-the-middle attack, the attacker intercepts messages between two hosts, reads
them, and perhaps alters them, all without the original hosts knowing that their
communications have been compromised. )
To protect against ARP spoofing on your switch, enable both DHCP snooping and dynamic
ARP inspection (DAI). DHCP snooping builds and maintains the DHCP snooping table.
That table contains the MAC addresses, IP addresses, lease times, binding types, VLAN
information, and interface information for the untrusted interfaces on the switch. DAI
uses the information in the DHCP snooping table to validate ARP packets. Invalid ARP
packets are blocked and, when they are blocked, a system log message is recorded that
includes the type of ARP packet and the sender's IP address and MAC address.
See "Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP
Spoofing Attacks" on page 2866.
In an attack designed to alter the DHCP snooping database, an intruder introduces a
DHCP client on one of the switch's untrusted access interfaces that has a MAC address
identical to that of a client on another untrusted port. The intruder acquires the DHCP
lease, which results in changes to the entries in the DHCP snooping table. Subsequently,
what would have been valid ARP requests from the legitimate client are blocked.
To protect against this type of alteration of the DHCP snooping database, configure MAC
addresses that are explicitly allowed on the interface. See "Example: Configuring Allowed
MAC Addresses to Protect the Switch from DHCP Snooping Database Alteration Attacks"
on page 2870.
In a DHCP starvation attack, an attacker floods an Ethernet LAN with DHCP requests
from spoofed (counterfeit) MAC addresses so that the switch's trusted DHCP servers
cannot keep up with requests from legitimate DHCP clients on the switch. The address
space of those servers is completely used up, so they can no longer assign IP addresses
and lease times to clients. DHCP requests from those clients are either dropped—that
is, the result is a denial of service (DoS)—or directed to a rogue DHCP server set up by
the attacker to impersonate a legitimate DHCP server on the LAN.
To protect the switch from DHCP starvation attacks, use the MAC limiting feature. Specify
the maximum number of MAC addresses that the switch can learn on the access interfaces
to which those clients connect. The switch's DHCP server or servers will then be able to
supply the specified number of IP addresses and leases to those clients and no more. If
a DHCP starvation attack occurs after the maximum number of IP addresses has been
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
