|
Attacking DHCP, and mitigating the threat with a Cisco SwitchHome Contact IFM |
IFM supplies network engineering services for $NZ150+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
DHCP is a critical server in a network. Without DHCP workstations can not get IP addresses, which will prevent every workstation from working (at least once their DHCP binding has expired). DHCP attacks centre on two methods, simple denial of service (DOS), where the aim is to simply stop workstations from being able to get IP addresses, and DHCP impersonation, where the attacker wants workstations to get IP addresses from a fake DHCP server, hence allowing them to route all traffic via themselves by changing the default gateway.
This is perhaps the simplest and fastest attack. DHCP servers have a limited number of addresses that they can give out. DHCP scopes commonly have less than 200 addresses that they give out to hosts (the rest of the space is often reserved for static IP devices, such as servers, printers, etc). So to stop the DHCP server from working all an attacker has to do is send DHCP requests using random MAC addresses. It keeps sending requests until the DHCP server stops responding. Of course, the DHCP has no idea what's going on, so it keeps responding to all the requests it sees coming in. It has no idea it is being attacked. This attack usually take less than 10s to complete, and uses a very small amount of bandwidth. As long as the attack uses forged MAC addresses (and the common tools for doing this attack do this) it is very difficult for the Windows administrator to track down, since all of the information they have available to them is forged.
Mitigation of this attack is very simple with a Cisco switch, using a feature called port security. What port security does is limit the number of MAC addresses a client machine can use. So if you enable the feature on every port that can connect to a workstation, and a workstation tries to send a packet with a MAC address different to that of a packet it has sent in the same session, the switch will shut the port down stopping the attack dead. Port security is supported on Cisco 2950's and above. The switch clears the MAC address associated with a port when the link goes down (such as the workstation being turned off, or unplugged). So it works happily with ports shared by different machines (as long as only one machine at a time is plugged into the port).
This is also a simple attack. The attacker either disables the primary DHCP server using a denial of service attack such as above and then operates their own DHCP server, or they simply setup a faster DHCP than the one already on the network. When a client sends out a DHCP request it accepts the response from whichever DHCP responds first.
If the attacker wants to see all the traffic you are sending out of your local subnet, then they simply respond to your DHCP request, and specify there own machine as the default gateway. The attacker's machine then forwards on any traffic to the real default gateway. Now the attacker can see everything your sending (perfect for username and password theft, identify theft, or capturing other sensitive information).
Cisco have a technology to overcome this called DHCP snooping. What happens is you tell the switch which port(s) have a DHCP server plugged in. The switch then only allows that port to respond to DHCP queries. Simple. This feature is available on layer 3 switches such as the Cisco 3560, but note that the EMI feature set is often required. A limited form of DHCP snooping is available on layer 2 switches, but it can only limit the rate at which DHCP packets are sent, and is not disscussed here.
First, enable the feature globally.
Then tell the switch to trust ports that have a DHCP server plugged into them.
That's the basic config done!
This attack is exactly the same as the default gateway redirection, but instead of sending back a bogus default gateway the rouge DHCP sends back a bogus DNS server. This then allows the attacker to quietly redirect just certain requests. For example, you think your accessing your bank WWW site, but the attacker is using their own DNS server to redirect you to a fake WWW site that they have set to capture your details.
The mitigation strategy is exactly the same as for the default gateway redirect. Stop rogue DHCP responses getting onto your network, and you won't get your details stolen by this attack.
Cisco Catalyst switches have a number of easy to implement security features that can stop very simple yet nasty attacks. So many people just throw in a Cisco switch and don't spend the time to implement the simple security features.
Spend that extra time and afford yourself the level of protection that everyone should have!