Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1481
Views
12
Helpful
4
Replies

How to prevent bogus dhcp server from attacking nomal dhcp clients?

MinQuant.Kuo
Level 1
Level 1

‎01-29-2007 02:27 AM

HI,all

How to prevent bogus dhcp server in a same vlan with clients needing dhcp service from legal dhcp server connecting to Catlyst 4506

Without disconnecting Ehternet Line physically.

Please refer to attachment.

Labels:
Preview file
53 KB
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎01-29-2007 02:52 AM

This will be quite hard to realize when you have a direct layer2 connection between the devices on the segment. Normally, this should not be a problem as the machine is within your administrative domain so you should also be able to contact it's administrator about this.

One solution (the most preferrable one) will be to put the bogus-machine in a different vlan.

Regards,

Leo

mshavrov
Level 1
Level 1

‎01-29-2007 04:50 PM

If your clients are Windows 2000/XP, and your DHCP server is Windows 2000/2003 Server, you can try to use DHCP ClassID feature. It provides some kind of "DHCP security" in your environment. I personally never tried it in real life, but I remember it from the MCSE materials.

Other of that there is no way to stop bogus DHCP server from issuing IP addresses. As matter of fact, your PCs will get most of their addresses from bogus DHCP server, since it's "closer" to them and will respond quicker.

If you want to be aware if someone brings DHCP server into your network, you can set up a sniffer in your network, and monitor for "out-of-range" IP addresses. Also you can turn on debugging on your router for "arp requests" and see if someone requests any ARP addresses out or your normal range.

Good luck,

Mike

----

Cisco IP Phone Headset Adapters

http://www.ciscoheadsetadapter.com

hagirebench
Level 1
Level 1

‎01-29-2007 06:18 PM

hi,

its posible to defend against this attack with dhcp snooping. but it is only available on a catalyst switch. i see from your figure that the bogusdhcpserver is connected to a hub. but here is the description of dhcp snooping and its commands..

btw you can still configure snooping on the 3550 port(connected to the hub) as "untrusted" to isolate the dhcp attack.

DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.

Commands:

Switch(config)#ip dhcp snooping

-enables DHCP snooping globally

Switch(config-if)#ip dhcp snooping trust

-configures an interface as trusted

rgds,

ben

MinQuant.Kuo
Level 1
Level 1
In response to hagirebench

‎01-30-2007 12:58 AM

HI,Ben

I will configure dhcp snooping on Catlyst 3550 if necessary,because that is the environment of my customer's,Thanks a lot.

Regards!

MinQuant Kuo

0 Helpful
Customers Also Viewed These Support Documents