1 2 Previous Next 18 Replies Latest reply: Feb 21, 2014 10:55 AM by John O RSS

    DHCP Spoofing

    xmarksthespot

      Hi Guys,

       

      I would like to ask your ideas regarding DHCP spoofing, what it is? is it bad or good?(sounds bad) if bad , when does it happens and how to prevent it.

       

      Thank you!

       

      Xmarks

       

      Message was edited by: xmarksthespot : Let me know if this post is not suited on the group so I can route it somewhere else :D

        • 1. Re: DHCP Spoofing
          Kevin Santillan

          Hi.

           

          Yes it is bad and is a form of attack. DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by flooding the real DHCP server with request to choke ip address resources.

           

          This can be mitigated by configuring DHCP Snooping which enables specific ports only to pass DHCP traffic. All other ports will be untrusted and can only send DHCP requests. If a DHCP offer is detected in a untrusted port, it will be shut down. Let's see a sample config.

           

          SW(config)# ! Enable DHCP snooping on the switch

          SW(config)#ip dhcp snooping

          SW(config)# ! Enable DHCP snooping for the specific VLAN              

          SW(config)#ip dhcp snooping vlan 1

          SW(config)#int fa0/1

          SW(config-if)# ! Set the port as trusted

          SW(config-if)#ip dhcp snooping trust 

          SW(config-if)# ! Enable rate limiting to prevent flooding attacks       

          SW(config-if)#ip dhcp snooping limit rate 15 

           

          More details here:

          http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/

          • 2. Re: DHCP Spoofing
            xmarksthespot

            Thank you Kev! I believe the rate of 15 is decent enough to stop the flooding but is there a permanent way(100%) to avoid the Spoofing?

            • 3. Re: DHCP Spoofing
              cadetalain

              Hi,

              if you mean stopping rogue DHCP servers from leasing IP addresses to clients then yes it is a 100% process as long as you leave as untrusted(which is the default trust state) all access ports where malicious users could plug a DHCP server.

               

              Regards

               

              Alain

              • 4. Re: DHCP Spoofing
                Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                Hi Xmarksthespot,

                 

                I'm going to echoing Kev. Whenever you hear "spoofing" would mean "bad". Dhcp spoofing is simply when an attacker enable a rouge dhcp server on a network, that rouge dhcp server would be able to start replying to those clients "closer" to it than to the real dhcp server who are sending dhcp discovers/requests. Rouge dhcp server would provide those clients with wrong information like wrong default gateway, dns etc etc, so it would stop the traffic from being routed correctly, or it would simply sniff the traffic to analyze it so look at its content.

                 

                You would mitigate that kind of attack by configuring dhcp snooping on a switch, by default all ports would be in untrusted state until you set them manually to trusted state. The ports that should be set as trusted are those where the real dhcp server is connected, trunk ports and all the ports down the path where the real dhcp server packets are traveling towards the clients. By doing that, any rouge dhcp server packet would not be able to go through those untrusted ports.

                 

                Please check out this link:

                 

                http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_44_se/configuration/guide/scg/swdhcp82.html#wp1078853

                 

                 

                Regards,

                Aref

                • 5. Re: DHCP Spoofing
                  xmarksthespot

                  Hi Alain and Alain,

                  I had a better understanding now,Thank you!

                   

                   

                  Just a knowledge check though:

                  - A rouge dhcp sever cannot attack you via DHCP spoofing if doesn't have the access to the port of your non-dhcp snooping configured switch ?

                  - Though you have dhcp snooping enabled and was able to configure trusted ports, but the attacker was able to grab that trusted port, you are succeptible again for the attacks?

                   

                  And a question:

                  - Is it possible to set the DHCP Snooping to refer to the MAC Address of the Trusted DHCP Server than basing the "trustness" from the ports itself?

                   

                  The clarification and question is for all, feel free to answer.

                   

                  Thank you!

                  • 6. Re: DHCP Spoofing
                    Kevin Santillan

                    Thank you Kev! I believe the rate of 15 is decent enough to stop the flooding but is there a permanent way(100%) to avoid the Spoofing?

                     

                    First, rate limiting is typically configured on untrusted ports. There is really no recommended or standard value for rate limiting but some books suggest that it should not be configured more than 100 pps (packets per second) on untrusted interfaces which I think is large enough. As for trusted interfaces, you should configure higher values since it aggregates all DHCP traffic. Having high values in trusted ports won't post a security risk provided that you have properly secured the rates in your untrusted ports. But still, we want everything to be fully secure. Hence, we allocate a right amount for trusted ports.

                     

                    As for rogue DHCP servers, just like Alain described, setting untrusted ports alone can prevent the attacks because once an offer is detected, the port will be shut down.

                    • 7. Re: DHCP Spoofing
                      Kevin Santillan

                      Just a knowledge check though:

                      - A rouge dhcp sever cannot attack you via DHCP spoofing if doesn't have the access to the port of your non-dhcp snooping configured switch ?

                       

                      Yes. He cannot do DHCP spoofing if he is not connected to your switch that has NO DHCP snooping configured. Just to give you a background, what happens is a DHCP enabled client will send a broadcast query requesting for information from an DHCP server.  Every host in the same broadcast domain will receive this message. Attackers with the proper software configured can intercept this request and spoof the DHCP response parameters.

                      - Though you have dhcp snooping enabled and was able to configure trusted ports, but the attacker was able to grab that trusted port, you are succeptible again for the attacks?

                       

                      Well, that trusted port is usually where the DHCP server is connected. You can bind the server's MAC specifically to that port. Or you as an IT should see if an attacker enters your data center and plugs to that port.

                       

                      And a question:

                      - Is it possible to set the DHCP Snooping to refer to the MAC Address of the Trusted DHCP Server than basing the "trustness" from the ports itself?

                       

                      As stated above, aside from DHCP Snooping, you can manually bind the server's MAC to that specific port and specify the maximum MAC allowed:

                       

                      Switch(config-if)# switchport mode access

                      Switch(config-if)# switchport port-security

                      Switch(config-if)# switchport port-security maximum 1

                      Switch(config-if)# switchport port-security violation restrict

                      Switch(config-if)# switchport port-security mac-address sticky <server MAC>

                      • 8. Re: DHCP Spoofing
                        xmarksthespot

                        Thank you Kev, so it is a combined configuration of DHCP Snooping and Port Security! 

                         

                        As far as this topic goes, I learned from each posts and is confident that I know it better now. Hopefully I can put this in lab one of this coming days.

                         

                        Sincerely,

                         

                        Xmarks.

                        • 9. Re: DHCP Spoofing
                          Kevin Santillan

                          You're welcome. Have a great weekend.

                          • 10. Re: DHCP Spoofing
                            xmarksthespot

                            Weekends will be better with the knowledge I learned to day. You too have a great one!

                             

                            [off-topic]

                            I was going to open discussion on HSRP? Do you have an idea to which study group should I post it on?

                            • 11. Re: DHCP Spoofing
                              Kevin Santillan

                              This study group should be fine since FHRP's are already included in the 200-120 blueprint.

                              • 12. Re: DHCP Spoofing
                                Steven Davidson

                                I wanted to share this real-world experience with you to drive home the importance of implementing DHCP snooping.  While working at a MSP one of our clients experienced a man-in-the-middle attack made possible by DHCP.  An infected laptop was connected to the network by a trusted IT staff member (he didn't know the laptop was infected).  The virus included a DHCP server, built-in, which was instructing all of the DHCP-enabled clients on the network to use it as the default-gateway.  The laptop would inspect traffic going offnet before forwarding the traffic to the true default gateway.  They only became aware of the problem when they reported to me that they were experiencing poor performance and I investigated the issue.  Had DHCP snooping been properly implemented in their environment this attack would not have been possible.  The laptop would have been connected to an untrusted port and the port would have been disabled.  In my experience, DHCP snooping and other associated IOS security features are not implemented nearly as much as they should be.  I saw dozens of environments with all varieties of Cisco switch hardware and never once did I see an environment in which DHCP snooping had been implemented (or ip source guard or dynamic arp inspection).

                                • 13. Re: DHCP Spoofing
                                  xmarksthespot

                                  Thanks for sharing your real world Steven, actually I just come across a question involving DHCP spoofing earlier and was really curious about it. When I learned about it, I was "wow that was cool". I also wanted to ask about dynamic arp inspection but I'll be absorbing this for now and looking forward on watching some videos or labbing it myself.

                                  • 14. Re: DHCP Spoofing
                                    John O

                                    It's always someone on the inside that causes trouble. haha

                                     

                                    FWIW I have big experience with malware removal, and now a new networking job in a small IT dept (need CCNA to keep the job). I'm working on a protocol for potential malware events, and your story provides an excellent example. As of now, the techs run Malwarebytes, Combofix, and call it a day.

                                     

                                    We also take in a few PCs for service, and IMO each should be handled as if fully infected and highly contagious.

                                     

                                    -John

                                    1 2 Previous Next