Friday, June 5, 2009

Protecting from Rogue DHCP server attacks – DHCP Snooping

My environment: Cisco Catalyst 3560E
IOS: c3560e-universal-mz.122-35.SE5.bin

One of the common DHCP server attack is rogue dhcp server attack, the potential problem is the attacker will become the hosts’ default gateway or DNS server.  DHCP snooping can prevent it from happening by untrusting the switchport that are not connecting to the DHCP server.

! Global Command

! which vlan you would like to snoop
ip dhcp snooping vlan 168,201

! this is important otherwise this feature is not enabled
ip dhcp snooping

! Switchport configuration for DHCP server
int gi0/4
ip dhcp snooping trust

! User-facing switchport configuration, default untrust
int gi0/5
no ip dhcp snooping trust







To showing the DHCP snooping binding:




pandaeatsbamboo-sw01#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:16:C8:FF:C4:6D 192.168.10.102 80179 dhcp-snooping 201 GigabitEthernet0/6
00:17:E0:1C:AB:1A 192.168.10.104 79680 dhcp-snooping 201 GigabitEthernet0/8
Total number of bindings: 2





DHCP Snooping table can be written to flash or external storage.  Very importantly if you want to get the DHCP snooping database agent working, you MUST synchronize your switch with NTP, you can verify it with the command “sh ntp status”, make sure the clock is synchronized.




ip dhcp snooping database tftp://192.168.10.2/snoop.db


 




Then you can show ip dhcp snooping database to verify:




pandaeatsbamboo-sw01#sh ip dhcp snooping database
Agent URL : tftp://192.168.10.2/snoop.db
Write delay Timer : 15 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : 10:29:01 HKT Fri Jun 5 2009
Last Failed Time : 18:35:29 HKT Wed Jun 3 2009
Last Failed Reason : Unable to access URL.

Total Attempts : 1206 Startup Failures : 0
Successful Transfers : 1205 Failed Transfers : 1
Successful Reads : 2 Failed Reads : 0
Successful Writes : 1203 Failed Writes : 1
Media Failures : 0



No comments: