DHCP defense mechanism-DHCP Snooping (DHCP monitoring)

Others 2020-10-29 13:03:17 views: null

Write catalog title here

Introduction to DHCP Snooping (DHCP Snooping)

DHCP Snooping is a security feature of DHCP (Dynamic Host Configuration Protocol). It is used to ensure that the DHCP client obtains an IP address from a legal DHCP server, and records the correspondence between the DHCP client’s IP address and MAC address and other parameters to prevent network Against DHCP attacks .

At present, the DHCP protocol (RFC2131) encounters many security problems in the application process. There are some attacks against DHCP in the network, such as DHCP Server counterfeit attacks, DHCP Server denial of service attacks, and fake DHCP message attacks.

In order to ensure the security of network communication services, DHCP Snooping technology can be introduced to establish a firewall between the DHCP Client and the DHCP Server to resist various attacks against DHCP in the network.

benefit

  • The device has the ability to defend against DHCP attacks on the network, which enhances the reliability of the device and guarantees the normal operation of the communication network. With this feature, the switch can intercept all DHCP messages in the second-level VLAN domain.
  • Provide users with a safer network environment and more stable network services.

Principle Description of DHCP Snooping

DHCP snooping divides switch ports into two categories:

  • Trusted port: Normally receive DHCP ACK, DHCP NAK and DHCP Offer messages from the DHCP server. Connect to the port of a legal DHCP server or connect to the upstream port of the aggregation switch.
  • Untrusted ports: Only DHCP requests can be sent, and all other DHCP messages from untrusted ports are discarded. It is usually a port for connecting terminal equipment, such as a PC, network printer, etc.

Trust port function

By enabling the DHCP Snooping feature, the switch restricts untrusted ports (user ports) to only sending DHCP requests, and discards all other DHCP messages from user ports , such as DHCP Offer messages. Moreover, not all DHCP requests from untrusted ports are allowed to pass . The switch will also compare the source MAC address (in the message header) of the DHCP request message with the hardware address of the DHCP client (in the message content) (ie CHADDR field), only the same request message will be forwarded, otherwise it will be discarded. This prevents DHCP denial of service attacks .

The trusted port can receive all DHCP messages. By setting only the port connecting the switch to a legitimate DHCP server as a trusted port, and setting other ports as untrusted ports, you can prevent users from forging a DHCP server to attack the network . The DHCP snooping feature can also limit the rate of DHCP messages on the port. By limiting the rate on each untrusted port, broadcast attacks of legitimate DHCP request messages can be prevented .

DHCP snooping table

Another very important function of DHCP snooping is to establish a DHCP snooping binding table (DHCP Snooping Binding). Once a client connected to an untrusted port obtains a legal DHCP Offer, the switch will automatically add a binding entry in the DHCP monitoring binding table, which includes the client's IP address, MAC address, and MAC address of the untrusted port. Port number, VLAN number, lease period and other information .

  1. In order to ensure that the device can obtain the user MAC and other parameters when generating the DHCP Snooping binding table, the DHCP Snooping function needs to be applied to the access device or the first DHCP Relay in the Layer 2 network .

  2. The untrusted port only allows the client's DHCP request message to pass, which is only relative to the DHCP message. Other non-DHCP messages can be forwarded normally. This means that the client can access the network through an untrusted port by statically assigning an IP address. Since the static client will not send DHCP messages, there will be no record of the static client in the DHCP snooping binding table.

  3. The client information of the trusted port will not be recorded in the DHCP snooping binding table .

    If a client is connected to a trusted port, even if it obtains an IP address through normal DHCP, there is no record of the client in the DHCP snooping binding table. If the client is required to access the network only by dynamically obtaining IP, it must rely on IPSG and DAI technologies. (Entries in the DHCP snooping binding table can be added manually, no matter for trusted ports or untrusted ports)

  4. In order to obtain high-speed forwarding, the switch usually only checks the Layer 2 frame header of the message, and directly forwards it after obtaining the target MAC address, without checking the content of the message. The DHCP snooping is essentially to enable the switch to check the content of the DHCP message, and the DHCP message is no longer just the frame header to be checked .

  5. When the switch receives a DHCPDECLINE or DHCPRELEASE broadcast message, and the source MAC address of the message header exists in an entry in the DHCP snooping binding table. However , when the actual receiving port of the message is inconsistent with the port field in the binding table entry, the message will be discarded . (Prevent DHCP counterfeiters from attacking)

  6. The Lease column in the DHCP snooping binding table is the DHCP lease time corresponding to each client. When the client leaves the network, the entry will not disappear immediately. When the client accesses the network again and re-initiates the DHCP request, the corresponding entry content will be updated.

  7. The DHCP Snooping binding table is aged according to the DHCP lease period or automatically deleted according to the DHCP Release message sent when the user releases the IP address. The DHCP snooping binding table will be lost after the device restarts and needs to be re-bound, but the binding table can be saved on the flash or tftp/ftp server by setting, and it can be read directly after the device is restarted, without the client doing it again. Binding.

  8. The DHCP snooping binding table is not only used to defend against DHCP attacks, but also provides dynamic database support for subsequent IPSG and DAI technologies.

DHCP attack and its prevention

DHCP Server counterfeit attack

Principle of Attack

Since there is no authentication mechanism between the DHCP Server and the DHCP Client, if a DHCP server is added to the network at will, it can assign IP addresses and other network parameters to the clients. If the DHCP server assigns the wrong IP address and other network parameters to the user, it will cause great harm to the network.

Solution:

In order to prevent the DHCP Server counterfeiter attacks, you can configure the “Trusted/Untrusted” working mode of the device interface .

Set the interface directly or indirectly connected to a legitimate DHCP server as a trusted interface, and other interfaces as untrusted interfaces. After that, the DHCP response message received from the "Untrusted" interface will be directly discarded, which can effectively prevent the attacks of DHCP Server counterfeiters.

Fake DHCP message attack:

Principle of attack:

A legitimate user who has obtained an IP address sends a DHCP Request or DHCP Release message to the server to renew or release the IP address. If an attacker pretends to be a legitimate user and continuously sends DHCP Request messages to the DHCP Server to renew the IP address, these expired IP addresses cannot be recovered normally, so that some legitimate users cannot obtain IP addresses; and if the attacker impersonates a legitimate user The DHCP Release message sent to the DHCP Server will cause the user to go offline abnormally.

Solution:

In order to effectively prevent attacks against fake DHCP messages, the function of the DHCP Snooping binding table can be used . The device can effectively determine whether the message is legal by matching the DHCP Request renewal message and DHCP Release message with the binding table (mainly checking whether the VLAN, IP, MAC, and interface information in the message match the dynamic binding Table), if the match is successful, the message is forwarded, and if the match is unsuccessful, it is discarded.

DHCP Server service denial attack:

Principle of attack:

If a large number of attackers maliciously apply for IP addresses under the device interface interface1, the IP addresses in the DHCP Server will be quickly exhausted and other legitimate users cannot be provided with IP address allocation services.

On the other hand, the DHCP Server usually only confirms the MAC address of the client according to the CHADDR (Client Hardware Address) field in the DHCP Request message. If an attacker continuously changes the CHADDR field to apply for an IP address from the DHCP Server, it will also cause the address pool on the DHCP Server to be depleted, making it impossible to provide IP addresses for other normal users.

The DHCP denial of service attack can be a pure DOS attack, or it can be used in conjunction with a fake DHCP server. When the normal DHCP server is paralyzed, an attacker can set up a fake DHCP server to provide addresses for clients in the local area network so that they can forward information to malicious computers that are ready to intercept.

Even if the source MAC address and CHADDR fields of the DHCP request message are correct, since the DHCP request message is a broadcast message, it will exhaust the network bandwidth if it is sent in large numbers, forming another denial of service attack.

Solution:

In order to prevent a large number of DHCP users from maliciously applying for IP addresses, after enabling the DHCP Snooping function of the device, you can configure the maximum number of DHCP users allowed by the device or interface. When the number of connected users reaches this value, no more DHCP users are allowed. The user successfully applies for an IP address through this device or interface.

The attack by changing the CHADDR field in the DHCP Request message can enable the device to detect whether the MAC in the header of the DHCP Request message is consistent with the CHADDR field in the DHCP data area. After that, the device will check the sent DHCP Request message. If the MAC address of the frame header in the frame is equal to the CHADDR value, it will be forwarded if they are equal, otherwise discarded.

Configure the DHCP Snooping attack defense function:

Configure some functions of DHCP Snooping to prevent DHCP attacks.

  1. Enable the DHCP Snooping function.
  2. Configure the trust status of the interface to ensure that the client obtains an IP address from a legitimate server. (Prevent the DHCP Server counterfeiter attack)
  3. Enable the linkage function of ARP and DHCP Snooping to ensure that the binding table is updated in real time when DHCP users go offline abnormally.
  4. Enable the function of checking the binding table matching of DHCP messages. (Prevent spoofing DHCP message attacks)
  5. Configure the maximum number of users allowed to access and enable the function of checking whether the MAC header of the DHCP Request message is consistent with the CHADDR field in the DHCP data area. (Prevent DHCP Server denial of service attacks)
  6. Configure the discarded packet alarm and packet rate limit alarm functions.

Option 82 functions supported by DHCP Snooping:

Overview:

In the traditional DHCP process of dynamically assigning IP addresses, the DHCP Server cannot perceive the specific physical location of the user according to the DHCP request message, so that the users of the same VLAN have the same authority to obtain the IP address. Since network managers cannot effectively control specific users in the same VLAN, that is, they cannot control client access to network resources, this will pose a severe challenge to network security control.

RFC 3046 defines the DHCP Relay Agent Information Option (Option 82), which records the location information of the DHCP Client. The DHCP Snooping device or DHCP Relay passes the precise physical location information of the DHCP Client to the DHCP Server by adding the Option 82 option in the DHCP request message, so that the DHCP Server can assign the appropriate IP address and other configuration information to the host, and realize the Security control of the client.

note:

  • The user location information carried by Option 82 and the user parameters recorded in the DHCP Snooping binding table are two independent concepts and are not related . The user location information carried by Option 82 is added to the DHCP request message by the device when the DHCP user applies for an IP address (the user has not yet been assigned an IP address). The DHCP Snooping binding table is when the device receives a DHCP Ack message from the DHCP Server (at this time an IP address has been assigned to the user), the device automatically generates it according to the information in the DHCP Ack message.

Option82 contains two commonly used sub-options Circuit ID and Remote ID

  • The Circuit ID sub-option is mainly used to identify the VLAN, interface and other information where the client is located
  • The Remote ID sub-option is mainly used to identify the device that the client accesses, generally the MAC address of the device.

When the device functions as a DHCP relay, DHCP Snooping is enabled or not to support Option 82, but if the device is used as an access device on a Layer 2 network, DHCP Snooping must be enabled to support Option 82.

Option 82 only records the precise physical location information of the DHCP user and sends this information to the DHCP Server in a DHCP request message. If you need to deploy different address assignments or security policies for different users, you need the DHCP Server to support Option 82 and have configured IP address assignments or security policies on it.

achieve:

  • Insert mode: When the device receives a DHCP request message, if there is no Option 82 option in the message, it inserts the Option 82 option; if the message contains the Option 82 option, it judges whether the Option 82 option contains remote-id, if it contains , Keep the Option82 option unchanged, if not included, insert the remote id.
  • Rebuild method: When the device receives a DHCP request message, if there is no Option82 option in the message, it will insert Option82; if the message contains Option82, delete the Option82 option and insert the administrator’s own configuration on the device The Option82 option.

For the Insert and Rebuild methods, when the device receives a response message from the DHCP server, the processing method is the same.

  • There is Option 82 in the DHCP response message:

    • If there is no Option 82 option in the DHCP request message received by the device

      The device will delete the Option 82 option in the DHCP response message, and then forward it to the DHCP Client.

    • If the DHCP request message received by the device contains the Option 82 option

      The device restores the Option 82 option format in the DHCP response message to the Option 82 option in the DHCP request message, and then forwards it to the DHCP Client.

  • The DHCP response message does not contain Option 82: it is forwarded directly.

Guess you like

Origin blog.csdn.net/qq_40741808/article/details/106184502
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com