SECURE ALL THE SWITCHES! Part 2: DHCP Snooping
Welcome to our new SECURE ALL THE SWITCHES! series. We will be covering in-depth countermeasures that you can deploy in your network to help defend against network switch pwnage.
Part 2: DHCP Snooping
In our Network Takedown series we covered how easy it is to pwn a network by flooding a legitimate DHCP server with bogus MAC addresses, setting up a rogue DHCP server, then routing traffic through our client. Now we will to teach you how to defend against such attacks.
The Defense Plan:
Stop DHCP starvation with port-security and rate limiting and stop rogue DHCP servers with DHCP snooping. Both tasks will be completed on the network switch.
A Cisco Network Switch running a semi-new version of IOS. I will be using a Cisco 2960S in this series.
DHCP starvation can be easily stopped by implementing port-security on your switch’s access ports and limiting the amount of MAC addresses allowed on each physical port to a low number, for our example we will only allow 5 addresses. Basically how this works is: limited MAC addresses means limited illegitimate DHCP IP address requests which in turn means no DHCP starvation. I covered port-security in part 1 of this series so I will only include the basic configuration of an access port here.
A rogue DHCP server is just as easy to stop as DHCP starvation, it just takes a little bit more work. To stop rogue DHCP servers from causing trouble on your network we will configure DHCP snooping on all of our network switches. DHCP snooping works by blocking the server side of the DHCP handshake, specifically the DHCP offer and DHCP ack.
First we must actually enable DHCP snooping, which is done so in global configuration. Additionally we need to provide a location for the snooping data base. You can store this database in flash, however that is not typically recommended due to the limited amount of space in flash. Alternatively you could store the file in ftp, https, tftp, etc. For this demo however we will store the database in flash.
You will notice that we get a couple of errors after setting up the database. The first is the flash storage warning about potential space issues that I mentioned before. The second error wants us to address the lack of ntp server configuration. You can ignore this or simply point your switch to an ntp server. I’ve included the basic command below (minus security).
Now that we have DHCP snooping enabled we will need to tell the switch which VLANs we want to snoop on (typically all of your VLANs).
An alternative to port security for handle DHCP starvation attacks is to use a function of dhcp called rate limiting. Rate limiting only allows up to the maximum number of configured DHCP packets per second through the port. If the set number is exceeded the port will be shut down and put into an err-disabled state. Because an uplink (trunk) port to another switch tends to carry many times a standard ports DHCP packets it is recommended to not use this feature on a trunk port.
The last configuration change that you will need to do is configure the switch ports connected to your DHCP server(s) and to your trunk ports. The good news is that the configuration is the same. Basically we are “trusting” that the port is allowed to pass the DHCP server offer and ack. One thing to consider when setting up a trunk port as a trusted port is that the switch on the other end has to have DHCP snooping enabled and properly configured as well otherwise all of your work to stop a rogue DHCP will be moot.
If you would like to detect a rogue DHCP servers on your network the easiest way to do so is to send dummy DHCP discover packets out into your network and see who responds. From there you can use the IP address(s)/MAC addresses(s) to track down the offending device.