01-18-2012 11:59 PM - edited 03-07-2019 04:25 AM
Hello, every know that a basic method against DHCP Spoofing is DHCP snooping. But the orther way to protect from that is - the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
Can someone explain me that ? If the host get a spoofed DHCP reply with illegal gateway, how can static arp on DHCP server protect from that... ?
Thanks.
01-19-2012 01:48 AM
Hi,
it can't , can you provide the link where you saw this statement?
Regards.
Alain
01-19-2012 03:47 AM
Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway. When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker's machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn't realize it. About ARP: Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question. If any other host is using that IP address, it responds with an ARP reply containing its MAC address. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
the last sentence...
01-19-2012 04:05 AM
Hi,
the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway
Why would it have to craft anything ? when a client sends a DHCP Discover to 255.255.255.255 it will consider the first reply it receives and the rogue DHCP server only needs the correct scope and options to give the default gateway as its own.
The last sentence makes no sense to me.
The only 2 ways to prevent rogue DHCP servers that I'm aware of are either DHCP snooping or using ACL on switch port to prevent DHCP replies on ports where there are only clients connected.
Where is it taken from ?
Regards.
Alain
10-18-2012 05:15 AM
We have DHCP snooping, with ip arp inspection, working on all access switches.
The problem we had was the DHCP snooping information option, and we don't use it.
The example config is:
ip arp inspection vlan 5, 10-20
ip dhcp snooping vlan 5, 10-20
no ip dhcp snooping information option
ip dhcp snooping
! On a Accessport
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
On a Trunk port, or on a dhcp server port:
ip arp inspection trust
ip dhcp snooping trust
The dhcp packets wil only send to the trusted ports.
Succes.
Regards Harrie
04-30-2013 09:45 PM
Then what will be the correct answer for this question among these options available
Which statement is true about DHCP spoofing operation?
A. DHCP spoofing and SPAN cannot be used on the same port of a switch.
B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.
D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.
A, B, C or D ????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide