DHCP attacks Flashcards
DHCP Starvation Attacks
Attacks modus operandi
Expected results
Attacks modus operandi
§ Try to lease all available addresses from the DHCP server
§ Expected results
§ The goal of a DHCP Starvation attack is to create a DoS blocking connecting clients
DHCP Spoofing Attacks
Attacks modus operandi
Expected results
Attacks modus operandi
§ The hacker inserts a rogue DHCP server into the network and provides false IP
information to clients
§ Expected results
§ False IP information consists in:
§ Wrong default gateway – DoS or Man-In-The-Middle attacks
§ Wrong DNS server – Targetted attacks towards specific domains or sites
§ Wrong IP address – DoS or Man-In-The-Middle attacks ; combined with wrong
default gateway
DHCP Attacks
Mitigation
Implementation notes
Mitigation:
§ Standard mitigation can be achieved through DHCP snooping
§ DHCP snooping does not rely on source MAC addresses.
§ It determines whether DHCP messages are from an administratively configured
trusted or untrusted source.
§ It then filters DHCP messages and rate-limits DHCP traffic from untrusted
sources.
§ Implementation notes
§ Devices under your administrative control, such as switches, routers, and servers, are
trusted sources.
§ Any device beyond the firewall or outside your network is an untrusted source.
§ In addition, all access ports are generally treated as untrusted sources.
§ All interfaces are treated as untrusted by default
DHCP Attacks Mitigation Cisco commands
On Cisco switches, use the following steps to enable DHCP snooping:
§ Step 1. Enable DHCP snooping by using the “ip dhcp snooping” global configuration
command.
§ Step 2. On trusted ports, use the “ip dhcp snooping trust” interface configuration
command.
§ Step 3. Limit the number of DHCP discovery messages that can be received per
second on untrusted ports by using the “ip dhcp snooping limit rate” interface
configuration command.
§ Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the “ip dhcp snooping vlan” global configuration command.
ARP Attacks
Attacks modus operandi
Expected results
Attacks modus operandi
§ Min-In-The-Middle attacks: impersonate hosts at the layer 2 level
§ According to the ARP RFC (request for comment), a client is allowed to send an unsolicited ARP Request
called a gratuitous ARP. When a host sends a gratuitous ARP, other hosts on the
subnet store the MAC address and IPv4 address contained in the gratuitous ARP in
their ARP tables.
§ Expected results
§ Capture, block or inject traffic between hosts
ARP Attacks Mitigation
Mitigation (on Cisco devices): Dynamic ARP Inspection (DAI)
§ To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only
valid ARP Requests and Replies are relayed
§ DAI uses DHCP snooping and prevents ARP attacks by:
§ Not relaying invalid or gratuitous ARP Requests out to other ports in the same VLAN
§ Intercepting all ARP Requests and Replies on untrusted ports
§ Verifying each intercepted packet for a valid IP-to-MAC binding
§ Dropping and logging ARP Requests coming from invalid sources to prevent ARP
poisoning
§ Error-disabling the interface if the configured DAI number of ARP packets is
exceeded
§ Other mitigation approaches
§ Use static ARP entries on strategic hosts
§ Use ARP watcher tools to scan gratuitous ARP requests
ARP attacks mitigation cisco
§ Steps to activate DAI
§ Enable DHCP snooping globally.
§ Enable DHCP snooping on selected VLANs.
§ Enable DAI on selected VLANs with the command: ip arp inspection
§ Configure trusted interfaces for DHCP snooping and ARP inspection
§ Other possible parameters of ip arp inspection:
ip arp inspection validate {[src-mac] [dst-mac] [ip]}
§ Destination MAC - Checks the destination MAC address in the Ethernet header
against the target MAC address in ARP body.
§ Source MAC - Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body.
§ IP address - Checks the ARP body for invalid and unexpected IP addresses including
addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Address Spoofing Attacks
Attacks modus operandi
Expected results
Attacks modus operandi
§ The hacker hijacks the valid IP of another device on the subnet or the MAC address
of the target host
§ Expected results
§ Capture or block traffic to a host
§ Impersonate a host at Layer 2 & 3
§ Get access to normally blocked services or data
Address Spoofing Attacks
Mitigation
Mitigation (on Cisco devices): IP Source Guard (IPSG)
§ Source IP Address Filtering
§ IP traffic is filtered based on the source IP address. The switch forwards IP traffic
when the source IP address matches an entry in the DHCP snooping binding
database or a binding in the IP source binding table.
§ When a DHCP snooping binding or static IP source binding is added, changed, or
deleted on an interface, the switch modifies the port ACL by using the IP source
binding changes and re-applies the port ACL to the interface.
§ Source IP and MAC Address Filtering
§ IP traffic is filtered based on the source IP and MAC addresses. The switch forwards
traffic only when the source IP and MAC addresses match an entry in the IP source
binding table.
§ When address filtering is enabled, the switch filters IP and non-IP traffic. If the
source MAC address of an IP or non-IP packet matches a valid IP source binding, the
switch forwards the packet. The switch drops all other types of packets except DHCP
packets.
