DHCP Snooping

DHCP Snooping
2 0 0 9 , C is c o S y s t e m s , In c . A ll r ig h t s r e s e r v e d .
Mini Primer on DHCP (RFC 2131 and 2132)

C e n tra S u p e rs T e m p o b a s e d T ra n s p a n d 6 8 L e a s e liz e d a d m in is tr a tio n o f IP e t o f B o o tP C lie n t/S e r v e r a r y a llo c a tio n o f IP a d d o n M A C , C lie n t ID , o r s u o rt: U D P , p o rt 6 7 (s e rv e ( c lie n t lis te n s o n th is p o re n e w a l e ffo rts o c c u r a t a d d r e s s c o n fig r p ro to c o l r e s s a n d o p tio n s b n e t (G IA D D R ) r lis te n s o n th is p o r t) rt) tw o in te r v a ls :
T 1 1 /2 o f th e le a s e h a s b e e n u s e d T 2 7 /8 o f th e le a s e h a s b e e n u s e d
2 0 0 9 , C is c o S y s t e m s , I n c . A ll r ig h t s r e s e r v e d .
DHCP A d d res s A c q u is it ion

DHCP Client DHCP S er v er
DHCP Dis c o v er DHCP O f f er DHCP R eq u es t DHCP A c k ( o r Dec line, N a c k )
Lease renewal ( T 1 o r T 2 t i m er)
DHCP R elea s e
DHCP Discover: b roa d ca st
sen t ou t a s L a y er2
DHCP O f f er: S erver resp on d s w it h a p rop osa l of p a ra m et ers DHCP A CK : a d d ress
DHCP R eq u est : t h e cl ien t b roa d ca st s t o t h e p ref erred server. A n im p l icit d ecl in e t o ot h ers. t h e server a ssig n s a n I P t h e server rej ect s t h e DHCP N A CK : req u est f rom t h e cl ien t DHCP Decl in e: a d d ress
DHCP R el ea se: t h e cl ien t ret u rn s t h e a ssig n ed a d d ress b ef ore l ea se ex p ires
t h e cl ien t rej ect s t h e of f ered
NOTE: T h e rep l y f rom server m a y con t a in n ot on l y t h e cl ien t s L a y er3 a d d ress ( I P A d d ress) b u t a l so ot h er im p ort a n t con f ig u ra t ion p a ra m et ers su ch a s t h e su b n et m a sk , d ef a u l t rou t er a n d Dom a in N a m e S y st em ( DN S ) server. T h e DHCP A CK con t a in s t h e a l l n ecessa ry I P/ L ea se p a ra m et ers ( DN S server, W I N S server, N et B I O S N od e t y p e, d om a in n a m e, T 1 / T 2 t im ers, G a t ew a y , et c.) .
DHCP Discover (client-to-server)
DHCP O f f er (server-to-client)
DHCP R eq u est (client-to-server)
Du p lica te p a ck ets? ?
Why do you think my laptop was sent T WO D H C P O f f er s?
DHCP A CK (server-to-client)
S ev era l DHCP mes s a g e t y p es .

DHCP Client S er v er A S er v er B
Client messages:
selecting r enew r eb ind I nit/ R eb o o t
Discover R eq u est ( 4 k in d s) :
S er v er messages:
O f f er A C K N A K
Decl in e R el ea se I n f orm
DHCPOF F ER Serv er to client in resp onse to DHCPDISCOVER w ith of f er of conf ig u ration p aram eters.
DHCPDISCOVER Client broadcast to locate av ailable serv ers.
Message:
U se:
DHCPREQ U EST Client m essag e to serv ers eith er ( a) req u esting of f ered p aram eters f rom one serv er and im p licitly declining of f ers f rom all oth ers, ( b) conf irm ing correctness of p rev iou sly allocated address af ter, e. g . , sy stem reboot, or ( c) ex tending th e lease on a p articu lar netw ork address. DHCPA CK Serv er to client w ith conf ig u ration p aram eters, inclu ding com m itted netw ork address.
DHCPN A K Serv er to client indicating client' s notion of netw ork address is incorrect ( e. g . , client h as m ov ed to new su bnet) or client' s lease as ex p ired DHCPDECL IN E Client to serv er indicating netw ork address is already in u se. Ex am p le: self -A RP detects of f ered IP address is already in u se. DHCPREL EA SE Client to serv er relinq u ish ing netw ork address and cancelling rem aining lease.
DHCP Mes s a g e F orma t

Client-A
1 0 .1 .2 .0 /2 4
I P H elp er
1 0 .1 .1 .0 /2 4 .1 .2
S er v er
Client-C
DHCP
Client-B
.1
0 1 6 3 2
OP Co d e (1 )
H TY P E (1 )
SE CONDS (2 )
TRANSACTION ID (4)
H L E N (1 )
H OP S (1 )
CL IE NT IP ADDRE SS (4) Y OU R IP ADDRE SS (4)
U NU SE D (2 )
T h eG IA D D R is st u f f ed wi t h I P ad d ress b y I P H elp er f eat u re t o I D su b net o f c li ent
GATEWAY IP ADDRESS (Gi ADDR) (4) SE RV E R H OST NAM E (6 4) B OOT F IL E NAM E (1 2 8 )
SE RV E R IP ADDRE SS (4)
V E NDOR-SP E CIF IC OP TIONS (3 1 2 )

1 0
D esc r i p t i o n o f f i el d s i n a D H C P m essage
F I EL D op OC TETS 1 D ES C R I P TI ON M essa g e op cod e / m essa g e t y p e. Ha rd w a re a d d ress t y p e, see A R P 1 = B O O T R E Q U E S T , 2 = B O O T R E PL Y N u m b ers" R F C; e.g ., ' 1 ' = 1 0 m b Ha rd w a re a d d ress l en g t h ( e.g . ' 6 ' f or
h ty p e 1 sect ion in " A ssig n ed h l en 1 1 0 m b et h ern et ) . x id et h ern et .
h op s 1 Cl ien t set s t o z ero, op t ion a l l y u sed b y rel a y a g en t s w h en b oot in g via a rel a y a g en t . 4 T ra n sa ct ion I D, a ra n d om n u m b er ch osen b y t h e cl ien t , u sed b y t h e cl ien t a n d server t o a ssocia t e m essa g es a n d resp on ses b et w een a cl ien t a n d a server. 2 F la g s
secs 2 F il l ed in b y cl ien t , secon d s el a p sed sin ce cl ien t b eg a n a d d ress a cq u isit ion or ren ew a l p rocess. cia d d r 4 in B O U N D, R E N E W req u est s. y ia d d r 4 f la g s
Cl ien t I P a d d ress; on l y f il l ed in if cl ien t is or R E B I N DI N G st a t e a n d ca n resp on d t o A R P ' y ou r' ( cl ien t ) I P a d d ress.
S ia d d r 4 I P a d d ress of n ex t server t o u se in b oot st ra p ; ret u rn ed in DHCPO F F E R , DHCPA CK b y server. g ia d d r 4 via a rel a y a g en t . ch a d d r 1 6 Cl ien t h a rd w a re a d d ress.
R el a y a g en t I P a d d ress, u sed in b oot in g

10
sn a m e 6 4 t erm in a t ed st rin g .
O p t ion a l server h ost n a m e, n u l l
DHCP Spoofing Attack

Who: M a l i c i ou s u s e r : p r e t e n d t o b e t he n e t w or k D H C P s e rv e r M i s -c on f i g u r e d u s e r : f i r e u p D H C P s e r v e r i n c or r e c t l y Whe r e : C om m on l y s e e n i n hi g he r e d u c a t i on , m e t r o E t he r n e t H ow : A tta D is c a n d B og D N S c k e r In ov e r y R e p lie u s G a t A d d re te rc e p ts B r oa d c a s t s Wi t h e w a y a n d s s e s
192.168.1.1/24 I P H e l p e r 195 .11.2.1
DHCP Of f e r
IP: 10.1.1.20/24 G W : 10.1.1.1 D N S : 19 2.16 8 .1.122
DHCP Di s c o v e r y B ro a d c a s t V ic tim
192.168.1.122
A tta c k e r
A dd tex t
11
Do I Trust You?
DHCP Snooping relies on correct identification of Trusted and Untrusted ports. Default = A ll Ports Untrusted
R o u te rs S e rv e rs
Trust O N L Y th ose ports for w h ich y ou h av e direct control of th e end-dev ice,

S w itc h e s
R outer( config-if) # ip dh cp snooping trust
untrusted
untrusted
untrusted untrusted T r u s t e d
DHCP S e rv e r
12
DH C P A tta c k S ol uti on : DH C P S n oop i n g

DHCP Snooping discarding attack ers b ogus DHCP offer m essages b y intercepting DHCP m essages w ith in a sw itch
Switch forwards DHCP requests from untrusted access ports only to T rusted ports. All other types of DHCP traffic from untrusted access ports dropped. I f network DHCP serv er not local to the switch, trust the uplink port O ptional insertion and remov al of DHCP option 8 2 data into/ from DHCP messag es
B uilding a DHCP b inding tab le containing client I P address, client MAC address, port, V L AN numb er DoS attack on DHCP serv er is prev ented b y rate limiting DHCP pack ets per access port
DHCP Snooping
DHCP Offer
u nt r u s t e d
13
DH C P B i n d i n g Ta b l e
Contains binding entries for local u ntru sted p orts only
I nclu des both static entries and dy nam ic entries learned v ia D H CP gleaning
6 bytes 4 bytes 2 bytes 4 bytes 4 bytes M A C A ddress L ease Tim er Port B inding Ty pe
I P A ddress V L A N Id
4 bytes
14
What is allowed to pass (client-to-ser v er ) ?
DHCP Di s c o v e r DHCP R e q u e s t DHCP De c l i n e
DHCP R e le a s e
untrusted untrusted untrusted untrusted trusted
DHCP S e rv e r
15
What is allowed to pass (ser v er -to-client) ?
DHCP O f f e r DHCP Ac k DHCP N a c k
DHCP L e a s e Q u e r y
untrusted untrusted untrusted untrusted t r u s t e d
16
W h a t i s p re v e n te d ( un truste d -to-un truste d ) .
AN Y DHCP m e s s a g e
untrusted
untrusted
untrusted untrusted trusted
DHCP S e rv e r
17
What is pr ev ented (U ntr u sted S er v er P ack ets) .

DR O PPE D! !
DR O PPE D! !
untrusted
U ntrusted ( p o rt i nc o rrec tl y i denti f i ed)
untrusted untrusted trusted
DHCP S e rv e r
18
What is pr ev ented (Who do y ou think Y O U ar e? ?

DR O PPE D! !
DHCP De c l i n e DHCP R e le a s e
U ntrusted p o rt 3/ 1
DHCP B inding Datab ase: MAC- AA = port 3 / 3

U ntrusted p o rt 3/ 3 untrusted trusted
Ha c im p r e le a d d
k e e r a s re
r s o e s s
a tte m p ts to n a te y o u a n d y o u r IP . S R C M AC = BB AA
S R C M AC = AA
19
W h a t i s p re v e n te d ( N o re l a y f or YO U ! ! ) .
DR O PPE D! !
DHCP p a c k e t w i t h n o n -z e r o g ia d d r fie ld .
trusted
N orm al DHCP-R elay operation populates giaddr field in DHCP m essages.
Th is is not allow ed if arriv ing on an untrusted port.
20
DH C P R e l a y p a c k e t d rop p e d ! !
D H C P R el a y A g ent Int v l a n 3 i p a dd 3.3.3.3 D H C P D i sc o v er G i a ddr = 3.3.3.3
2 /1
S w i t c h -B
V l a n-3
3 /2 5
Ag g r e g a t i o n S w
D H C P S no o p i ng D H C P S erv er
D H C P D i sc o v er
U ntrusted Interf a c e
Cu s t o m e r -B
A ggregation Sw itch w ith DHCP Snooping enab led drops DHCP pack et on untrusted port w ith non-z ero giaddr field.
Th e Solution:
21
DH C P S n oop i n g - C on f i g ura ti on
2 /1
E d g e S w itc h
R e l a y Ag e n t R e l a y Ag e n t
D H C P S erv er
Cu s t o m e r -B
E nsure th at DHCP Serv er and th e R elay A gent ( if it ex ists) are already fully functional b efore y ou configure DHCP Snooping.
Co n f i g u r e t h i s o n p o r t s l e a d i n g t o t r u s t e d DHCP S e r v e r s o r o n u p l i n k p o r t s t o Ag g r e g a t i o n S w i t c h e s .
22
D H C P S nooping A dditional C onf ig O ptions

2 /0 /1
E d g e S w itc h
R e l a y Ag e n t R e l a y Ag e n t
D H C P S erv er
Cu s t o m e r -B
Sw itch ( config) # interface gigab iteth ernet2 / 0 / 1 Sw itch ( config-if) # ip dh cp snooping lim it rate 10 0
Pr e v e n t s DHCP Do S a t t a c k s t h a t w o u l d o v e r w h e l m t h e DHCP S e r v e r .
DHCP Snooping can also b e configured on Priv ate V L A N s. M ust configure only on th e Prim ary V L A N w ill b e dy nam ically propagated to all Secondary V L A N s. N o w ay ( currently ) to h av e different DHCP Snooping configurations applied to Secondary V L A N s all residing under th e sam e Prim ary V L A N .
23
DH C P S n oop i n g V e ri f i c a ti on
U ntrusted interfaces dont display.
24
DH C P R e l a y A g e n t
Best practice is to store DHCP Binding Database ex ternal l y to th e sw itch .
C P U If stored locally in flash/b ootflash, datab ase m u st b e erased and re-w ritten for ev ery new entry. intensiv ecan lock u p the sw itch.
F eatu re to do th is is cal l ed DHCP S nooping Database A gent.

Can also use F T P, HT T P, and RCP
If sw itch crashes or reloads, all entries / lease info lost and can k ill the D H C P S noop ing p rocess.
Sw itch ( Config) # ip dh cp snooping datab ase tftp: / / 19 2 . 16 8 . 1. 1/ Snoop-data. dh cp Sw itch ( Config) # ip dh cp snooping datab ase w rite-delay 15
S p ec i f y th e dura ti o n f o r w h i c h th e tra nsf er sh o ul d b e del a y ed a f ter th e b i ndi ng da ta b a se c h a ng es. T h e ra ng e i s f ro m 15 to 8 6 4 0 0 sec o nds. T h e def a ul t i s 30 0 sec o nds ( 5 m i nutes) .
25
DH C P R e l a y A g e n t C a v e a t
F rom
F or network -b ased U RL s ( such as T F T P and F T P) , you must create an empty file at the config ured U RL b efore the switch can write b inding s to the b inding file at that U RL . See the documentation for your T F T P serv er to determine whether you must first create an empty file on the serv er; some T F T P serv ers cannot b e config ured this way. W hat will you see if you DO N T hav e a 0 -b yte file to start with??
Cat3750# show ip d hc p sn oopin g d a t a b a se A g e n t U R L : tf tp : / / 1 9 2 . 1 6 8 . 1 . 1 / S n o o p -d ata. d h c p
th e Cat3 7 5 0 Configuration G uide:
M e a n in g T h e s w itc h c a n n o t c r e a te th is file fr o m s c r a tc h . T h e s e r v e r m u s t a lr e a d y c o n t a i n a 0 -b y t e f i l e w i t h t h i s n a m e f o r t h i s t o w o r k .
26
R e stri c ti n g A l l oc a te d A d d re sse s
Customers Ch a l l en g e: 1 . 2 . 3 . H ow c a n I en sure th a t ea c h sw i tc h i s on l y a l l oc a ted a ma x i mum of X a d d resses f rom my D H CP P ool ? H ow c a n I en sure th a t p ort 2 / 1 on S w i tc h -B f rom my D H CP P ool ? i s on l y a l l oc a ted a ma x i mum of X a d d resses
W h a t i f someon e i n Customer-Cs n etw ork i s a ttemp ti n g a D H CP D oS a tta c k ( sen d i n g mul ti p l e D H CP D i sc ov er/ R eq uest messa g es to c omp l etel y ex h a ust th e D H CP A d d ress P ool ) ? H ow c a n I p rev en t th a t?
DHCP S e rv e r
S w i t c h -A Cu s t o m e r -A
S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B
S w i t c h -C Cu s t o m e r -C
S w i t c h -D Cu s t o m e r -D
a.k.a. DHCP Relay Agent Option (RFC 3046)

Th e Solution: DHCP O ption-8 2
27
DH C P O p ti on -8 2
D C H P p a c k et w / O p ti o n-8 2 i nserted D C H P p a c k et w / O p ti o n-8 2 i nserted D H C P S erv er
S w i tc h -C Customer-C
S w i tc h -D Customer-D
S w i t c h -A
O p ti o n-8 2
S w i t c h -B 4 /1 2 /1 Cu s t o m e r -B
O p ti o n-8 2
Cu s t o m e r -A
1. 2 .
Th is option giv es descriptiv e inform ation ab out th e dev ice/ port th at receiv ed th e DHCP m essage.
O ption-8 2 allow s trusted access dev ices to insert th is option into ( and rem ov e from ) DHCP Pack ets.
28
DH C P O p ti on -8 2
0 2-a a -11-11-22-11 O p ti o n-8 2 R em o te-i d = 0 2-a a -11-11-22-11 C i rc ui t-i d = 3-2-1 D H C P D i sc o v er O p ti o n-8 2
2 /1
S w i t c h -B
-3
D H C P S erv er ed to a l l o c a te a 10 0 -a ddresses to ti o n o f R em o te-ID !!
Im
Cu s t o m e r -B
o nl y a l l o w m a x i m um o f th a t c o m b i na a nd C i rc ui t-ID
1.
Sw itch adds R em ote-I D and Circuit-I D sub -options into O ption8 2 data. Circuit-I D default is port identifier in th e form at v lan-m od-port
R em ote-I D default is sw itch M A C address
2 .
Th ese fields are configurab le to use A SCI I strings if y ou prefer
ip d h c p s n o o pin g v l a n vlan in f o r m a t io n o pt io n f o r m a t t y pe c ir c u it -id s t r in g A S C I I -s t r i ng Sp ecif y th e VL A N and p ort identif ier, u sing a VL A N ID in th e rang e of 1 to 4 0 9 4 . T h e def au lt circu it ID is th e p ort identif ier, in th e f orm at v l a n -m o d -po r t . Y ou can conf ig u re th e circu it ID to be a string of 3 to 6 3 A SCII ch aracters ( no sp aces) . ( Op tional) Conf ig u re th e circu it-ID su bop tion f or th e sp ecif ied interf ace.
29
DH C P O p ti on -8 2 Te c h n i c a l De ta i l s
D eb ug i p dh c p sno o p i ng p a c k et
Circuit-I D
0 x 1 = S u b o p t i o n t y p e s p e c i f y i n g C i r c u i t -I D 0 x 6 = T o t a l L e n g t h o f C i r c u i t -I D 0 x 0 = C i r c u i t -I D T y p e f ie ld
in f o rm a tio n :
0 x 4 = L e n g t h o f t h e C i r c u i t -i d ( V L A N
0 x 0 = F i r s t B y t e o f C i r c u i t -I D ( u n u s e d i n t h i s c a s e s i n c e V L A N -1 w i l l b e c o n t a i n e d i n t h e s e c o n d b y t e b u t t h i s f i e l d w o u l d b e a n o n -z e r o n u m b e r i f r e p r e s e n t i n g a n y V L A N a b o v e V L A N -2 5 5 ) 0 x 1 = V L A N -1 0 x 3 = S l o t -3 0 x 6 = P o r t -6 R e m o te -I D in f o rm a tio n im m e d ia te l y f o l l o w s : S u b o p t io n a d d r e s s b y d e fa u lt) M A C
+ M o d u le + P o r t )
0 x 2 = S u b o p t i o n T y p e f o r R e m o t e -I D 0 x 0 = R e m o t e -i d T y p e
0 x 8 = T o t a l L e n g t h ( i n b y t e s ) o f R e m o t e -I D 0 x 6 = R e m o t e -i d L e n g t h ( L e n g t h o f M A C
M A C A d d r e s s = 0 0 -13-5 f -1d -7 f -8 0 ( t a k e n f r o m I n t e r f a c e V L A N -1)
A d d re s s o f
30
DH C P O p ti on -8 2 C a v e a ts
D H CP D i sc ov er O p ti on -8 2
02-a a -1 1 -1 1 -22-1 1
O p ti o n-8 2
R e m o t e -i d = 02-a a -1 1 -1 1 -22-1 1
W h a t th e h ec k i s T H A T ? ?
C i rc ui t-i d = 3-2-1
A g g reg a ti on S w
S w i tc h -B
D H CP D i sc ov er Customer-B
D H C P S erv er
1. 2 .
DHCP Serv ers m ust b e configured to recogniz e and respond in som e w ay to DHCP O ption-8 2 oth erw ise pack ets m ay b e dropped.
Sw itch es receiv ing DHCP m essages containing O ption-8 2 w ill DR O P THE M if receiv ed on an untrusted interface! ! Th e solution for aggregation sw itch es:
S w itc h (c o n fig )# ip d h c p s n o o p in g in fo r m a tio n o p tio n
T h i s i s t h e DE F AU L T s e t t i n g . R e m o v e it if u n s u p p o r te d b y t h e DHCP S e r v e r .
S w i t c h ( c o n f i g ) # i p d h c p s n o o p i n g i n f o r m a t i o n o p t i o n a l l o w -u n t r u s t e d
31
Dynamic ARP Inspection (DAI)
32
M IM
A tta c k A tta c k i n g a n oth e r h ost

L ay er 3 N etw ork
DHCP Serv er
AR P Ca c h e
AR P Ca c h e
Router R Host
Host A Malicious Host M
33
M IM

L ay er 3 N etw ork
DHCP Serv er
I PB
AR P Ca c h e
I PA Router R
AR P Ca c h e
MAC
Host A ARP Request Malicious Host M

Host
34
M IM

L ay er 3 N etw ork
DHCP Serv er
I PB
AR P Ca c h e
MACB Router R
I PA
AR P Ca c h e
MAC
Host A ARP Resp o n se Malicious Host M
Host
35
M IM

L ay er 3 N etw ork
DHCP Serv er
I PB
AR P Ca c h e
MACB Router R
I PA
AR P Ca c h e
MAC
Host A U ser T r a f f i c Malicious Host M

Host
36
M IM

L ay er 3 N etw ork
DHCP Serv er
I PB
AR P Ca c h e
MACM Router R
I PA
AR P Ca c h e
MAC
Host A U n so l i c i ted ARP Resp o n se
Host
Malicious Host M
37
M IM

L ay er 3 N etw ork
DHCP Serv er
I PB
AR P Ca c h e
MACM Router R
I PA
AR P Ca c h e
MAC
Host A U ser T r a f f i c Malicious Host M

Host
38
DO S A tta c k A tta c k i n g th e d e f a ul t g a te w a y
L ay er 3 N etw ork
I PA ARP Request Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
I PB
MACA
MACB
L 2 N etw ork w ith PV L A N

Host A Host
Malicious Host M
39
L ay er 3 N etw ork
I PA
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
Pr o x y ARP Resp o n se Router R
I PB
MACA
MACB

Host A Host
Malicious Host M
40
L ay er 3 N etw ork
I PA U ser T r a f f i c Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
I PB
MACA
MACB

Host A Host
Malicious Host M
41
L ay er 3 N etw ork
I PA
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR Router R
I PB
MACA
MACM

Host A U n so l i c i ted ARP Resp o n se Host
Malicious Host M
42
L ay er 3 N etw ork
I PA U ser T r a f f i c Router R
AR P Ca c h e
DHCP Serv er
I PB
AR P Ca c h e
MACR
I PB
MACA
MACM

Host A Host
Malicious Host M
43
A R P P oi son i n g : S e ri ous B usi n e ss

Recording V oice Calls
Si
Avaya demonstrated a variation of AR P p oisoning at th eir c u stomer b riefing c enter u sing C isc o g ear
R ec o rd D a ta
After interc ep ting a netw ork c onnec tion, p ac k ets c ontaining G . 7 1 1 voic e data are c ol l ec ted and th e p h one c onversation is rec orded and th en rep l ayed
Stealing Passwords
E m a il S e r v e r
D emonstrated l ive to C isc o senior ex ec u tives in th e C isc o netw ork T ool s are p u b l ic l y avail ab l e w ith G U I and b i-direc tional sp oofs: E tterc ap and D sniff E asil y tau g h t in 5 minu tes
Si
V ic tim
N eith er th e vic tim nor th e defau l t g atew ay is aw are of th e attac k

44
A R P P oi son i n g A tta c k S ol uti on : Dy n a m i c A R P In sp e c ti on

Dynamic ARP Inspection d iscar d ing attack er s g r atu itou s ARP pack ets in th e sw itch , and l og g ing th e attempts f or au d iting B ind ing s of cl ient IP ad d r ess, cl ient M AC ad d r ess, por t, V L AN nu mb er ar e b u il t d ynamical l y b y DH C P snooping
E ach inter cepted pack et is v er if ied f or v al id IP-to-M AC A sol u tion w ith no ch ang e to th e end u ser or h ost conf ig u r ations
Dynamic ARP Inspection
Gratuitous ARP
S w itch inter cepts al l ARP r eq u ests and r epl ies on th e u ntr u sted access por ts
b ind ing
u ntr u sted
45
Dynamic ARP Inspection (DAI) Overview

When DHCP Snooping not applicable, static A R P A CL s can be conf igu r ed instead . A R P A CL s alw ay s tak e pr ior ity ov er DHCP Snooping T able.
I f an A R P A CL is configured to drop a pack et, th at A R P w ill b e dropped ev en if th ere is a v alid entry in th e DHCP Snooping Tab le.
R elies on sam e concepts of T r u sted and U ntr u sted por ts as DHCP Snooping.
Ports are untrusted b y default
DA I does not v erify any A R P R eq uests/ R eplies from Trusted interfaces.

46
A R P In sp e c ti on P roc e d ure
T r u sted I / F ?
N o Y es
E th er n et & IP v 4
Y es N o
N o
M a tc h A R P A C L ?
Y es
Y es
Match DHCP b inding tab le? N o
A c ti o n ?
D en y
Per m i t
D r o p & lo g in v a lid A R P p a c k et
F o r w a r d v a lid A R P p a c k et
47
A R P In sp e c ti on O v e rv i e w
A n A R P r eq u est/ r esponse pack et is consid er ed v alid if it m eets the f ollow ing cr iter ia:
2 ) 1) 3 ) O ptional: Sender M A C M andatory : Sender < M A C , = = I P , V L A N > triplet is v alid O ptional ( for A R P response) : T a rg et M A C = = D es t i na t i o n M A C So u rc e M A C
ARP Packet Format

M A C A d d r D es t M A C A d d r Source F ra m e T y p e T y p e T y p e H /W P rot H /W P rot Si z e Si z e C od e M A C A d d r I P A d d r M A C A d d r O p Sen d er Sen d er T a rg et IP T a rg et
0 x 0 8 0 6 ( ARP)
0 x 0 1 ( E th er n et)
0 x 0 8 0 0 ( I Pv 4)
48
B a si c DA I C on f i g ura ti on
T w o D esig n M eth odol og ies:
1 . 2 . L eav e all edg e ports as U ntrusted Config ure DAI on ev ery switch in the network .
T rust all interfaces connected to network ing dev ices ( routers, switches, etc) . Config ure DAI on all E dg e switches ( assuming that hosts are only connected to E dg e switches) .
S tep -1 : C onfig u re and verify D H C P S noop ing first! S tep -2 : C onfig u re D AI :
Cat6 5 0 0 # conf t E nter configuration com m ands, one per line. E nd w ith CN TL / Z . Cat6 5 0 0 ( config) # ip arp inspection v lan 1-12 Cat6 5 0 0 ( config) # interface fasteth ernet3 / 2 5 Cat6 5 0 0 ( config-if) # ip arp inspection trust Cat6 5 0 0 ( config-if) # end
49
DA I i n a c ti on ! ! ( 1 )
DHCP-g i v e n a d d r e s s o f 1 .1 .1 .1
V L A N -1 3/ 6
DAI -e n a b l e d S w itc h
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
F a 0 /0 1.1.1.1
50
DA I i n a c ti on ! ! ( 2 )
V L A N -1 3/ 6
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
F a 0 /0 1.1.1.1
A s soon as th e routers F astE th ernet interface com es up it w ill perform gratuitous A R Plets see w h at h appens! !
51
DA I i n a c ti on ! ! ( 3 )
V L A N -1 3/ 6
6 5 0 0
V L A N -1
3/ 7
A dm i n S h ut
G ratuitous A R P from
R outer is dropped b y DA I on sw itch .
52
DA I f or n on -DH C P h osts
N otice th at in th is ex am ple, th e router h as b een giv en a v alid, static address of 1. 1. 1. 6 / 2 4 . B ut b ecause it is connected to an untrusted port and does not participate in DHCP, nob ody can A R P for it!
V L A N -1
3/ 6
6 5 0 0
V L A N -1
3/ 7
53
DA I f or n on -DH C P h osts ( 2 )
Th e Solution: A R P A ccess-L ist
S e n d e r o f AR P R e s p o n s e
a n y t a r g e t IPa d d r e s s
S e n d e rs M AC a d d r e s s
a n y t a r g e t M AC a d d r e s s
V L A N -1
3/ 6
6 5 0 0
V L A N -1
3/ 7
54
A R P A C L E x a m p le
Conf igu r ing A R P A CL
(c o n f i g -a r p -n a c l ) # (C o n f i g ) # a r p a c c e s s -l i s t d e n y (c o n f i g -a r p -n a c l ) # p e r m i t p e r m i t i p a r p _ a c l _ 1 i p h o s t a n y
IP w i l l a p p l y to b o th A R P req uests a nd resp o nses. A l terna ti v el y y o u c a n a l so sp ec i f y R eq uest o r R esp o nse.
(c o n f i g -a r p -n a c l ) #
i p
1 0 . 1 . 1 . 0
1 0 . 1 . 1 . 1 a n y
m a c
0 . 0 . 0 . 2 5 5
m a c
m a c
h o s t
a n y
0 0 0 0 . 0 0 0 1 . 0 0 0 2
A pply ing A R P A CL to a V L A N
(c o n f i g ) # (c o n f i g ) # o r i p a r p i n s p e c t i o n f i l t e r i p a r p i n s p e c t i o n f i l t e r
W i th o ut th e sta ti c k ey w o rd D A I w i l l c o nti nue to l o o k f o r a m a tc h i ng entry i n th e D H C P S no o p i ng D a ta b a se i f no th i ng m a tc h es th e A C L .
a r p _ a c l _ 1 a r p _ a c l _ 1
v l a n v l a n 5
5 s t a t i c
W i th th e sta ti c k ey w o rd D A I w i l l use th e i m p l i c i t deny a l l i f no m a tc h i s f o und i n th e A C L ...ev en i f a c o rresp o ndi ng m a tc h IS i n th e D H C P S no o p i ng D B .

55
R a te -L i m i ti n g of A R P tra f f i c
ARP packets are rate-l i m i ted to prev en t a d en i al o f -serv i ce attack o n U n tru sted i n terf aces. D ef au l t i s 1 5 pps T ru sted i n terf aces are n o t rate-l i m i ted
( co n f i g -i f ) # i p arp i n specti o n l i m i t < x > to rai se o r l o w er th i s l i m i t. E x ceed i n g th e l i m i t cau ses th e i n terf ace to b e pl aced i n to E rrd i sab l e state.
56
Th e E n d
TAC Virtual Chalk Talk for Partners
57

DHCP Snooping

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DHCP Snooping

Uploaded by

Copyright:

Available Formats

DHCP Snooping

Mini Primer on DHCP (RFC 2131 and 2132)

DHCP A d d res s A c q u is it ion

DHCP Dis c o v er DHCP O f f er DHCP R eq u es t DHCP A c k ( o r Dec line, N a c k )

Lease renewal ( T 1 o r T 2 t i m er)

DHCP Discover: b roa d ca st

DHCP O f f er: S erver resp on d s w it h a p rop osa l of p a ra m et ers DHCP A CK : a d d ress

DHCP R el ea se: t h e cl ien t ret u rn s t h e a ssig n ed a d d ress b ef ore l ea se ex p ires

t h e cl ien t rej ect s t h e of f ered

DHCP Discover (client-to-server)

DHCP R eq u est (client-to-server)

S ev era l DHCP mes s a g e t y p es .

DHCPDISCOVER Client broadcast to locate av ailable serv ers.

DHCP Mes s a g e F orma t

CL IE NT IP ADDRE SS (4) Y OU R IP ADDRE SS (4)

T h eG IA D D R is st u f f ed wi t h I P ad d ress b y I P H elp er f eat u re t o I D su b net o f c li ent

GATEWAY IP ADDRESS (Gi ADDR) (4) SE RV E R H OST NAM E (6 4) B OOT F IL E NAM E (1 2 8 )

V E NDOR-SP E CIF IC OP TIONS (3 1 2 )

h ty p e 1 sect ion in " A ssig n ed h l en 1 1 0 m b et h ern et ) . x id et h ern et .

Cl ien t I P a d d ress; on l y f il l ed in if cl ien t is or R E B I N DI N G st a t e a n d ca n resp on d t o A R P ' y ou r' ( cl ien t ) I P a d d ress.

R el a y a g en t I P a d d ress, u sed in b oot in g

O p t ion a l server h ost n a m e, n u l l

DHCP Spoofing Attack

192.168.1.1/24 I P H e l p e r 195 .11.2.1

IP: 10.1.1.20/24 G W : 10.1.1.1 D N S : 19 2.16 8 .1.122

Trust O N L Y th ose ports for w h ich y ou h av e direct control of th e end-dev ice,

R outer( config-if) # ip dh cp snooping trust

DH C P A tta c k S ol uti on : DH C P S n oop i n g

What is allowed to pass (client-to-ser v er ) ?

DHCP Di s c o v e r DHCP R e q u e s t DHCP De c l i n e

What is allowed to pass (ser v er -to-client) ?

DHCP O f f e r DHCP Ac k DHCP N a c k

W h a t i s p re v e n te d ( un truste d -to-un truste d ) .

untrusted untrusted trusted

What is pr ev ented (U ntr u sted S er v er P ack ets) .

U ntrusted ( p o rt i nc o rrec tl y i denti f i ed)

What is pr ev ented (Who do y ou think Y O U ar e? ?

DHCP B inding Datab ase: MAC- AA = port 3 / 3

N orm al DHCP-R elay operation populates giaddr field in DHCP m essages.

Th is is not allow ed if arriv ing on an untrusted port.

D H C P S nooping A dditional C onf ig O ptions

U ntrusted interfaces dont display.

F eatu re to do th is is cal l ed DHCP S nooping Database A gent.

th e Cat3 7 5 0 Configuration G uide:

a.k.a. DHCP Relay Agent Option (RFC 3046)

Th e Solution: DHCP O ption-8 2

D H C P S erv er ed to a l l o c a te a 10 0 -a ddresses to ti o n o f R em o te-ID !!

R em ote-I D default is sw itch M A C address

Th ese fields are configurab le to use A SCI I strings if y ou prefer

M A C A d d r e s s = 0 0 -13-5 f -1d -7 f -8 0 ( t a k e n f r o m I n t e r f a c e V L A N -1)

Dynamic ARP Inspection (DAI)

A tta c k A tta c k i n g a n oth e r h ost

Host A Malicious Host M

A tta c k A tta c k i n g a n oth e r h ost

Host A ARP Request Malicious Host M

A tta c k A tta c k i n g a n oth e r h ost

Host A ARP Resp o n se Malicious Host M

A tta c k A tta c k i n g a n oth e r h ost

Host A U ser T r a f f i c Malicious Host M

A tta c k A tta c k i n g a n oth e r h ost

Host A U n so l i c i ted ARP Resp o n se

A tta c k A tta c k i n g a n oth e r h ost

Host A U ser T r a f f i c Malicious Host M

L 2 N etw ork w ith PV L A N