DHCP Part 3 | DHCP Hardening

DHCP Defined

DHCP Vulnerabilities

DHCP Hardening

Rogue DHCP Servers, DHCP Starvation and DHCP Spoofing described in the previous section can be defeated with DHCP Snooping and Port Security.

DHCP Snooping

DHCP Snooping offers two distinct features: Trusted Ports and its DHCP Snooping Database.

Trusted Ports

In order to prevent rogue DHCP servers from offering leases, ports where legitimate DHCP servers are connected can be explicitly trusted so if a rogue server attempts to send an Offer response to a Discover broadcast it will be discarded by the switch.

Trusted Ports Lab

In the Rogue DHCP Server section of DHCP Vulnerabilities we demonstrated that both servers were offering leases.

These commands enable DHCP Snooping on a compatible Cisco switch:

Switch(config)#ip dhcp snooping Enable DHCP Snooping

Switch(config)#ip dhcp snooping vlan 2 Activate only on VLAN 2

Switch(config)#int g0/3 Configure interface Ge0/3 which is attached to DHCP server

Switch(config-if)#ip dhcp snooping trust Allow this port to transit DHCP server traffic

Next I’ve requested a DHCP lease from the DHCP Client which is now represented in the DHCP snooping table:

This proves that the legitimate DHCP server is able to offer leases because it is connected to a trusted port.

After initiating another DHCP request, the rogue DHCP responds and traffic is dropped as seen here:

DHCP Snooping Database (prevents DHCP spoofing)

By building a database of legitimate DHCP transactions, DHCP Snooping can block forms of DHCP Spoofing such as malicious lease and releases and Offers. If a DHCP offer or release message originates from a port other than where the original lease was supplied to, the traffic is dropped. Note that both Dynamic ARP Inspection (DAI) and IP Source Guard (IPSG) the DHCP Snooping database to keep ARP and layer 3 traffic honest.

DHCP Snooping Database Lab

DHCP snooping is still enabled and as a reminder includes the following database entry which places the DHCP client off of port Ge1/0.

Now generating a spoofed DHCP release with DHCP snooping enabled on the switch fails because a packet originating from port Ge0/2 on the attacker’s computer does not match the snooping database.

Here we can see additional hit in the DHCP snooping statistics for a dropped packet which represents the DHCP spoofing attempt as blocked:

Port Security

Port security prevents DHCP starvation by limiting the number of unique MAC addresses allowed on each switch ports. An attacker has to forge the source MAC address of lease requests to appear to be a unique device to obtain multiple leases so if a port is set to allow a maximum of 3 MAC addresses the starvation would be suppressed.

Port Security Lab

In this lab the port that the attacker is connected to is configured with port security and filters the DHCP starvation attack as illustrated in the following diagram:

Note that the four connected attempts above represent hundreds of DHCP requests and that the port security limit is three MAC addresses which means that the first 3 starvation requests would succeed before the port errors into a shutdown state. These are the commands applied to the switch:

Switch(config)#interface ge0/2 Configure interface Ge0/2 attached to the attacker

Switch(config-if)#switchport port-security Enable port security

Switch(config-if)#switchport port-security maximum 3 Limit port to 3 MACs

Switch(config-if)#switchport port-security violation restrict

Switch(config-if)#switchport port-security mac-address sticky Auto-learn MACs

Here are the port security statistics before the starvation attack:

After, we see the console syslog message reporting one of the violations along with refreshed statistics:

The DHCP server binding table is empty proving that the switch dropped the starvation attack:

Terms of Use For Packet Orbit

By reading anything at PacketOrbit.com, you acknowledge and agree to, all of the following:

All information and software available on this site are for educational purposes only. The author is no way responsible for any misuse of the information. The website owner expressly disclaims all liability for any information presented here. The owner of this website and its posts shall not be held liable for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so at your own risk.