DHCP Starvation Attacks

As the name implies, a DHCP starvation attack is where a DHCP server is sent so many DHCP requests that eventually there are no more IP addresses available to allocate to legitimate devices, hence rendering the network unusable.

A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. As you have seen, there are many tools available on the Internet to send out these sorts of frames. The end result may involve the attacker installing their own DHCP server and responding to a client request for an IP address, which will result in data being sent to the wrong destination, thus compromising company data. Because DHCP responses typically include default gateway and DNS server information, the network attacker can supply their own system as the default gateway and DNS server, resulting in a man-in-the-middle-style attack.

Additional features in Cisco IOS-enabled switches can mitigate this attack by enabling DHCP snooping. In additon to the defense shown in Example 3-44, IP source guard can provide additional defense against attacks such as DHCP starvation and IP spoofing. Like DHCP snooping, IP source guard is enabled on untrusted Layer 2 ports. All IP traffic is initially blocked except for DHCP packets captured by the DHCP snooping process. Once a client receives a valid IP address from the DHCP server, a per-port and VLAN access control list (PACL) is applied to the port. This restricts the client IP traffic to those source IP addresses configured in the binding. Any other IP traffic with a source address other than the addresses in the binding will be filtered and thrown away by the switch. Example 3-45 displays a sample configuration to help alleviate a DHCP starvation attack.

Example 3-45 DHCP Starvation Attack Mitigation CatIOS(config)# ip dhcp snooping

CatlOS (config)# ip dhcp snooping vlan number [number]

CatlOS (config)# ip verify source vlan dhcp-snooping port-security

CatlOS (config)# switchport port-security limit rate invalid-source-MAC rate

CatlOS (config)# ip source binding ip-address MAC-address vlan vlan-id interface interface !Finally trust the interfaces with the following command CatlOS (config-if)# ip dhcp snooping trust

Example 3-45 enables DHCP snooping and ensures that any other IP traffic with a source address other than the addresses in the binding will be filtered and dropped immediately.

There are, of course, many other techniques used by attackers. Other examples include using Cisco Discovery Protocol (CDP), trying to manipulate VTP messages without password authentication, and searching for vulnerabilities over wireless and telephony-based networks, as already discussed in Chapter 1, "General Networking Topics." Once you pass the written examination, make sure you do not limit your knowledge to just those mechanisms presented here, because Cisco releases new features almost daily to overcome new and even smarter techniques used by attackers.

The next section briefly covers some of the overall security policy best practices that Cisco recommends be designed and implemented in networks.

Was this article helpful?

+2 0

Post a comment