An attack on DHCP.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
There are several different ways to attack a DHCP server.
1. An attacker can generate and send to the DHCP server a huge number of DHCP requests with different MAC addresses. The server will allocate IP addresses from the pool, and sooner or later the entire DHCP pool will run out, after which the server will not be able to serve new clients. In fact, this is a DoS attack, as the network performance is disrupted. The method of dealing with such attacks is called DHCP Snooping. This method is as follows. When the switch receives a packet, it compares the MAC address specified in the DHCP request with the MAC address that was registered on the switch port. If the addresses match, the switch sends the packet on; if they do not match, the packet is discarded.
2. An attacker can also deploy his DHCP server and issue his settings to network users (he can specify any DNS, Gateway, etc.) and use it at his discretion, ranging from listening to traffic to faking DNS responses, etc
. In order for the attacker's server to respond to DHCP requests, he needs to pre-disable the legal DHCP server using the method described in paragraph 1.
The practical steps for implementing this attack are similar to those presented in the section on SELF-table overflows. When the MAC address is changed and the network interface is restarted, a request is made to the DHCP server to obtain a new IP address.
In DHCP Snooping technology, there is a concept of trusted and untrusted ports. For the former, receiving DHCPOFFER DHCP responses is allowed, for the latter, receiving responses is prohibited.
Let's set up DHCP Snooping for VLAN 10 on the f0/1 interface.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# int f0/1
Switch(config-if)# ip dhcp snooping trust
In this example, the interface is connected directly to the DHCP server, so we have enabled trust mode on it.
You can also enable or disable option 82 of the DHCP, which is responsible for relay information, that is, which switches this packet passed through.
Switch(config)# ip dhcp snooping information option
Another means is to limit the number of DHCP requests per second. We'll set a limit of 100 requests.
Switch(config)# int f0/1
Switch(config-if)# ip dhcp snooping limit rate 100
However, you need to be careful when setting limits, as requests will be rejected if the set value is exceeded. At the beginning of the working day, when many users turn on their computers at the same time and receive IP addresses via DHCP, this restriction can lead to delays and problems when logging on to the network.
