Introduction
So, for some reason, I love DHCP when it comes to labs. Not because it makes life easier when you have lots of devices to address, but because it is an asset for troubleshooting LAN side problems. It's just nice to have a DHCP server in your lab and network. Like every other piece of kit however it is susceptible to attacks.
One form of attack is a DHCP starvation attack. This is where a "Threat Actor" sends a large number of illegitimate requests for IP addresses, using some kind of IP gobbler tool . The server (doing what it does best) leases all available IP addresses. Then when an actual client wishes to join the network, no addresses are available. This is a simple DoS (Denial of Service) attack preventing end users from connecting to your network.
Another form of attack is a rogue DHCP server, where a threat actor tries to offer illegitimate IP information to legitimate clients. This may not sound too mischievous at first but is likely to be more problematic if not addressed. This is because rogue DHCP could be the start of a bigger attack where the target is data, not disruption. At the very least this kind of attack will result in a Man-in-the-Middle attack.
Obviously, these are problems we need to address. The solution is DHCP snooping. This layer 2 tool allows us to set up "Trusted" and "Untrusted" ports. It's worthwhile addressing the terms now because they are a little misleading and you may make an incorrect assumption. Trusted - Refers to interface(s) that your DHCP server is connected to. A trusted source of DHCP leased addresses. Untrusted - Is literally every other interface. Even interfaces that connect to your equipment that you know requires an address.
Instructions
In this lab (Download lab pack here) we will demonstrate both attacks, then configure and test DHCP snooping to address the attacks.
View attacks in action
Set up DHCP snooping
Attempt attacks again
Topology
IP Table
Device | Interface | IP Address |
DHCP Server | Eth0 | 192.168.1.254/24 |
DHCP Clients | Eth0 | 192.168.1.0/24 |
DHCP Gobbler | Multiple | 192.168.1.0/24 |
Rogue DHCP Server | Eth0 | 172.16.66.254/24 |
Activity
Part 1 - View attacks in Action
Lets' get into it.
Step 1 - Attack in Action
Firstly, it is worthwhile looking at the DHCP server configuration settings to know what we are working with.
In Packet Tracer
DHCP is configured to start at 192.168.1.20 and (importantly to this lab) is set to only lease a maximum of 20 addresses.
Now, let's test that DHCP is working as it should. Go to the PC-A, set it to obtain an ip address automatically. If it is successful, you should get an ip address that you could check using the command line.
C:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 00E0.B065.4D91
Link-local IPv6 Address.........: FE80::2E0:B0FF:FE65:4D91
IPv6 Address....................: ::
IPv4 Address....................: 192.168.1.20
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: ::
192.168.1.1
DHCP Servers....................: 192.168.1.254
DHCPv6 IAID.....................:
DHCPv6 Client DUID..............: 00-01-00-01-38-76-B2-E2-00-E0-B0-65-4D-91
DNS Servers.....................: ::
8.8.8.8
C:\>Step 2 - The Gobbler
Now you will want to connect the DHCP gobbler to the network.
In packet tracer this is a "Cloud Network" consisting of multiple machines all connected to a switch to simulate the software that would achieve this from a single device.
In packet Tracer, connect (switch to simulation mode if you want to see what happens)
DHCP Gobbler>HackSwitch>GigabitEthernet0/2 to McCube-S1> FastEthernet0/24
At this point, the DHCP gobbler will consume all available DHCP addresses. Now connect PC-B to McCube-S1 (any port) and set IP configuration to automatic. You will now get an APIPA Address.
C:\> ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 00E0.F774.CE37
Link-local IPv6 Address.........: FE80::2E0:F7FF:FE74:CE37
IPv6 Address....................: ::
Autoconfiguration IP Address....: 169.254.206.55
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: ::
0.0.0.0
DHCP Servers....................: 192.168.0.1
DHCPv6 IAID.....................:
DHCPv6 Client DUID..............: 00-01-00-01-A4-6E-60-CC-00-E0-F7-74-CE-37
DNS Servers.....................: ::
0.0.0.0Notice that the information about the DHCP servers address is correct.
Step 3 - Rogue DHCP Server
If you connect the Rogue DHCP server to any switch port on McCube-S1, then connect PC-C to any available port on the switch. Review the information that PC-C receives.
C:\> ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 0060.3ED3.173B
Link-local IPv6 Address.........: FE80::260:3EFF:FED3:173B
IPv6 Address....................: ::
IPv4 Address....................: 172.16.66.122
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: ::
172.16.66.254
DHCP Servers....................: 172.16.66.254
DHCPv6 IAID.....................:
DHCPv6 Client DUID..............: 00-01-00-01-3B-AA-99-9E-00-60-3E-D3-17-3B
DNS Servers.....................: ::
6.6.6.6 You will see that PC-C now has illegitimate information.
Note* - when you have 2 DHCP servers in a network the first to reply to the DHCP Discover message is most likely to be the chosen option. If the legitimate DHCP server is in a remote network (as is common), it is more likely the hackers DHCP (being a device connected to the LAN) will be first to reply.
Part 2 - Set Up DHCP Snooping
Before continuing, you will need to reopen the entire activity. This is the quickest way to reset everything.
Step 1 - Enable DHCP Snooping
DHCP snooping is not on by default so this will need to be turned on from global configuration mode.
McCube-S1#
McCube-S1# conf t
McCube-S1(config)# ip dhcp snooping
McCube-S1(config)#Step 2 - Configure Trusted Ports
The next step is to configure the interface we trust to be the source of our DHCP information. In this case FastEthernet 0/1 on McCube-S1.
McCube-S1(config)#
McCube-S1(config)# interface fastethernet0/1
McCube-S1(config-if)# ip dhcp snooping trust
McCube-S1(config-if)# exit
McCube-S1(config)#Step 3 - Configure untrusted ports
In this lab every over interface is considered untrustworthy. The task here is to force interfaces to shut down, should a large amount of DHCP requests come through within a set amount of time (in seconds). OR Should an untrusted interface try to respond to a DHCP Discover message.
To achieve this on all interfaces we will use the range command, followed but the IP snooping rate limit command.
McCube-S1(config)#
McCube-S1(config)# interface range f0/2-24 , g0/1-2
McCube-S1(config-if-range)# ip dhcp snooping limit rate 2
McCube-S1(config-if-range)#Part 3 - Attempt attacks again
Set PC-A to gain an IP address automatically, should be successful.
Connect HackSwitch G0/2 to any port on McCube-S1. McCube-S1 interface should go down.
Connect PC-B to any port on McCube-S1, configure it to gain an IP address automatically, should be successful.
Connect Rogue DHCP server to any port on McCube-S1.
Connect PC-C to any port on McCube-S1, configure it to gain an IP address automatically. Should be successful.
Notice that the Rogue DHCP server details are not used
Other Verifications
To Verify your trusted port configuration, you can use the show "ip dhcp snooping" command
McCube-S1# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
----------------------- ------- ----------------
FastEthernet0/2 no 2
FastEthernet0/3 no 2
FastEthernet0/4 no 2
FastEthernet0/5 no 2
FastEthernet0/6 no 2
FastEthernet0/7 no 2
FastEthernet0/8 no 2
FastEthernet0/9 no 2
FastEthernet0/10 no 2
FastEthernet0/11 no 2
FastEthernet0/12 no 2
FastEthernet0/13 no 2
FastEthernet0/14 no 2
FastEthernet0/15 no 2
FastEthernet0/1 yes unlimited
FastEthernet0/23 no 2
GigabitEthernet0/1 no 2
GigabitEthernet0/2 no 2
FastEthernet0/20 no 2
FastEthernet0/18 no 2
FastEthernet0/17 no 2
FastEthernet0/19 no 2
FastEthernet0/16 no 2
FastEthernet0/21 no 2
FastEthernet0/22 no 2
FastEthernet0/24 no 2
McCube-S1#
Comments