What is DHCP Snooping? What is Man in the Middle attack? How to configure DHCP Snooping security?
DHCP (Dynamic Host Configuration Protocol) servers are providing all the basic information that the client wants to operate on the network like DNS address, Default Gateway, IP addresses, subnet. masks and many more.
Imagine a bad guy (attacker) comes up and brings a fake DHCP server machine and runs the exact same subnet as other PC on the network running. now what will happen? the PC broadcast for DHCP request and our attacker servers maybe send DHCP reply from its fake DHCP machine with its own IP address to pretend as the default gateway.https://www.internetworks.in/2021/10/what-is-dhcp-snooping-what-is-man-in.html
Now when our client receives the reply from the attacker machine. client using the spoofed gateway address and our packets going through the attacker machine first. Yes, maybe the attacker forwards our packets to the correct destination but in the meantime attacker examines all our packets and now this scenario becomes man in a middle attack and our innocent client does not even realize it.
Cisco switch uses the DHCP snooping feature to prevent these types of attacks. when the DHCP server is connected to the switch. switch ports our switch have option trusted or untrusted. the legal reliable DHCP server can be found on trusted port and rest of the ports are untrusted for DHCP server. when the DHCP server request coming from the untrusted port our switch prevent all the DHCP request before its flood the VLAN and discard the request and also put that untrusted port in to err disable state automatically. DHCP snooping keeps the track of the complete DHCP binding.
let's see the configuration of the DHCP snooping attack and how to prevent it from attacking.
Topology:-https://www.internetworks.in/2021/10/what-is-dhcp-snooping-what-is-man-in.html
Goal:
- configure the topology as per the diagram on cisco packet tracer
- configure IP address on router 1
- configure DHCP server on router 1
- make sure all our client get all the basic information IP addresses, subnet mask, default gateway and DNS address.
- configure attacker machine with DHCP server
- Restart our client (PC) with STATIC to DHCP and verify the basic information has been changed or not (IP CONFIG /ALL)
- now configure our switch to prevent attacker with DHCP SNOOPING
- after prevent the attack restart our PC with static to DHCP.
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip dhcp pool SERVER
Router(dhcp-config)#network 10.0.0.0 255.255.255.0
Router(dhcp-config)#default-router 10.0.0.1
Router(dhcp-config)#dns-server 10.0.0.80
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 10.0.0.1
Router(config)#ip dhcp excluded-address 10.0.0.80
Router(config)#exit
make sure all our client get all the basic information IP addresses, subnet mask, default gateway and DNS address
(FROM PC 1)
Packet Tracer PC Command Line 1.0
C:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address…………….: 000B.BE81.0DD7
Link-local IPv6 Address………: FE80::20B:BEFF:FE81:DD7
IP Address………………….: 10.0.0.2
Subnet Mask…………………: 255.255.255.0
Default Gateway……………..: 10.0.0.1
DNS Servers…………………: 10.0.0.80
DHCP Servers………………..: 10.0.0.1
DHCPv6 Client DUID…………..: 00–01–00–01-D6–19–05-C4–00–0B-BE-81–0D-D7
Bluetooth Connection:
(FROM PC 2)
Packet Tracer PC Command Line 1.0
C:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address…………….: 000B.BE81.0DD7
Link-local IPv6 Address………: FE80::20B:BEFF:FE81:DD7
IP Address………………….: 10.0.0.2
Subnet Mask…………………: 255.255.255.0
Default Gateway……………..: 10.0.0.1
DNS Servers…………………: 10.0.0.80
DHCP Servers………………..: 10.0.0.1
DHCPv6 Client DUID…………..: 00–01–00–01-D6–19–05-C4–00–0B-BE-81–0D-D7
Bluetooth Connection:
(FROM PC 3)
:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address…………….: 0060.472C.94D8
Link-local IPv6 Address………: FE80::260:47FF:FE2C:94D8
IP Address………………….: 10.0.0.4
Subnet Mask…………………: 255.255.255.0
Default Gateway……………..: 10.0.0.1
DNS Servers…………………: 10.0.0.80
DHCP Servers………………..: 10.0.0.1
DHCPv6 Client DUID…………..: 00–01–00–01-D9–76–38–6D-00–60–47–2C-94-D8
ATTACKER(config)#interface gigabitEthernet 0/0
ATTACKER(config-if)#ip address 192.168.10.1 255.255.255.0
ATTACKER(config-if)#no shutdown
ATTACKER(config-if)#exit
ATTACKER(config)#ip dhcp pool MIB
ATTACKER(dhcp-config)#network 192.168.10.0 255.255.255.0
ATTACKER(dhcp-config)#default-router 192.168.10.1
ATTACKER(dhcp-config)#dns-server 192.168.10.80
ATTACKER(dhcp-config)#exit
ATTACKER(config)#ip dhcp excluded-address 192.168.10.1
ATTACKER(config)#ip dhcp excluded-address 192.168.10.80
ATTACKER(config)#exit
(verify the basic information has been changed or not (IP CONFIG /ALL)
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
Router(config)#ip dhcp relay information trust-all Router(config)#exit
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
— — — — — — — — — — — — — — — — — — — — — — — —
FastEthernet1/1 no unlimited
FastEthernet2/1 no unlimited
FastEthernet3/1 no unlimited
FastEthernet0/1 yes unlimited
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
00:0B:BE:81:0D:D7 10.0.0.5 86400 dhcp-snooping 1 FastEthernet1/1
00:D0:97:B1:1E:E3 10.0.0.3 86400 dhcp-snooping 1 FastEthernet2/1
00:60:47:2C:94:D8 10.0.0.4 86400 dhcp-snooping 1 FastEthernet3/1
Total number of bindings: 3
Originally published at https://www.internetworks.in.
