Spoof Attacks
Spoof attacks include DHCP spoofing, MAC address spoofing, and ARP
spoofing.
DHCP Spoofing
A DHCP spoofing attacker listens for DHCP requests and answers them,
giving its IP address as the client default gateway. The attacker then becomes a
“man-in-the-middle” as all off-net traffic flows through it.
DHCP snooping can prevent DHCP spoofing attacks. When DHCP snooping
is enabled, only ports that uplink to an authorized DHCP server are trusted,
and allowed to send all types of DHCP messages. All other ports on the
switch are untrusted and can send only DHCP requests. If a DHCP response
is seen on an untrusted port, the port is shut down. The switch can also be
configured to send information, such as port ID, using DHCP option 82.
Note
DHCP snooping configuration is user impacting, because the switch drops all DHCP requests until
the ports are configured. You should do this during off hours or during a maintenance window.
Configure DHCP snooping with the following commands, either globally or
for a particular VLAN. Configure only individual ports that uplink to DHCP
servers as trusted ports.
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping information option
Switch(config)#ip dhcp snooping vlan number number
Switch(config-if)#ip dhcp snooping trust
Switch#show ip dhcp snooping
To extend the protection further, IP Source Guard tracks the IP addresses of
the host connected to each port and prevents traffic sourced from another IP
address from entering that port. The tracking can be done based on just an IP
address or on both IP and MAC addresses.
Enable IP Source Guard for both IP and MAC addresses on host access interfaces
with the command ip verify source vlan dhcpsnooping port-security.