Protection of DHCP Spoofing

from88 · ‎01-18-2012

Hello, every know that a basic method against DHCP Spoofing is DHCP snooping. But the orther way to protect from that is - the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.

Can someone explain me that ? If the host get a spoofed DHCP reply with illegal gateway, how can static arp on DHCP server protect from that... ?

Thanks.

cadet alain · ‎01-19-2012

Hi,

it can't , can you provide the link where you saw this statement?

Regards.

Alain

Don't forget to rate helpful posts.

from88 · ‎01-19-2012

Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway. When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker's machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn't realize it. About ARP: Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question. If any other host is using that IP address, it responds with an ARP reply containing its MAC address. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.

the last sentence...

cadet alain · ‎01-19-2012

Hi,

the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway

Why would it have to craft anything ? when a client sends a DHCP Discover to 255.255.255.255 it will consider the first reply it receives and the rogue DHCP server only needs the correct scope and options to give the default gateway as its own.

The last sentence makes no sense to me.

The only 2 ways to prevent rogue DHCP servers that I'm aware of are either DHCP snooping or using ACL on switch port to prevent DHCP replies on ports where there are only clients connected.

Where is it taken from ?

Regards.

Alain

Don't forget to rate helpful posts.

Harrie Hendriks · ‎10-18-2012

We have DHCP snooping, with ip arp inspection, working on all access switches.

The problem we had was the DHCP snooping information option, and we don't use it.

The example config is:

ip arp inspection vlan 5, 10-20

ip dhcp snooping vlan 5, 10-20

no ip dhcp snooping information option

ip dhcp snooping

! On a Accessport

ip arp inspection limit rate 100

ip dhcp snooping limit rate 100

On a Trunk port, or on a dhcp server port:

ip arp inspection trust

ip dhcp snooping trust

The dhcp packets wil only send to the trusted ports.

Succes.

Regards Harrie

rainadsouza · ‎04-30-2013

Then what will be the correct answer for this question among these options available

Which statement is true about DHCP spoofing operation?

A. DHCP spoofing and SPAN cannot be used on the same port of a switch.
B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.
D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.

A, B, C or D ????