Hello, every know that a basic method against DHCP Spoofing is DHCP snooping. But the orther way to protect from that is - the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
Can someone explain me that ? If the host get a spoofed DHCP reply with illegal gateway, how can static arp on DHCP server protect from that... ?
Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway. When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker's machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn't realize it. About ARP: Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question. If any other host is using that IP address, it responds with an ARP reply containing its MAC address. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway
Why would it have to craft anything ? when a client sends a DHCP Discover to 255.255.255.255 it will consider the first reply it receives and the rogue DHCP server only needs the correct scope and options to give the default gateway as its own.
The last sentence makes no sense to me.
The only 2 ways to prevent rogue DHCP servers that I'm aware of are either DHCP snooping or using ACL on switch port to prevent DHCP replies on ports where there are only clients connected.
Then what will be the correct answer for this question among these options available
Which statement is true about DHCP spoofing operation?
A. DHCP spoofing and SPAN cannot be used on the same port of a switch. B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet. C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server. D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...