DHCP Concern Against IP/MAC Bluffing Attacks

DHCP Concern Against IP/MAC Bluffing Attacks

A about-face can use the DHCP concern bindings to anticipate IP and MAC abode spoofing

attacks. MAC bluffing attacks, as Figure 5-7 shows, abide in awful audience generating

traffic by application MAC addresses that do not accord to them.

The action abaft a MAC bluffing advance is the abeyant adeptness to accretion arrangement access

when admission ascendancy is based on MAC information, for example.

Figure 5-7 MAC Bluffing Attack

10.1.1.2

MAC B

• Antagonist Sends

Packets with

Spoofed Source

MAC Address

• If Arrangement Access

Control Is Based on

MAC Address, the

Attacker Now Looks

Like 10.1.1.2

10.1.1.3

MAC C

10.1.1.1

MAC A

Traffic Beatific with

MAC B Source

Received Traffic

Source Address

10.1.1.3

MAC B

DHCP Concern Against IP/MAC Bluffing Attacks 101

IP bluffing attacks, as Figure 5-8 shows, are absolutely like MAC bluffing attacks, except that

the applicant uses an IP abode that isn’t his. The ambition of such an advance is to abuse both

innocent bystanders and the antecedent ambition by accepting the destination IP abode (the initial

target) acknowledgment to as abounding spoofed antecedent IP addresses as possible. The antagonist never sees

the replies because he spoofs the antecedent IP addresses. This is absolutely like DoS attacks of

the SYN flood type. This book is a absorption attack, which is area a hacker uses a

victim’s IP abode as the antecedent abode of packets. Those packets are again beatific to a relay,

which will be referred to as innocent bystanders. Those innocent bystanders acknowledgment to these

forged antecedent IP addresses, who again become the victims of the advance because they really

have no business ambidextrous with this abrupt blitz of packets they haven’t asked for.

IP bluffing can be acclimated to bypass an ACL based on an IP address. Obviously, the attacker

never sees the acknowledgment cartage because it is beatific aback to the spoofed IP address. This abridgement of

return cartage prevents some attacks, such as TCP affair hijacking, because alone one leg of

the affiliation is arresting to the attacker. Therefore, admiration the arrangement numbers that

the victim uses is around impossible. Nevertheless, this advance can assignment with UDP

transport, such as sending SNMP set letters through an ACL, or as a apparent DoS attack

where seeing both legs of the affiliation isn’t desirable

Figure 5-8 IP Bluffing Attack

IP+MAC bluffing attacks amalgamate both IP and MAC bluffing attacks, as Figure 5-9

shows. This archetypal case of clothing occurs back an antagonist inserts himself in the

middle of a accepted chat amid two parties, assuming to be one of the parties.

10.1.1.2

10.1.1.3 MAC B

MAC C

10.1.1.1

MAC A

Received Traffic

Source IP

10.1.1.2

MAC C

Traffic Beatific with

IP 10.1.1.2

Source

• Antagonist Sends

Packets with the

Spoofed Antecedent IP

Address

• Whatever Device

the Packet Is Sent

to Will Never Reply

to the Attacker

(Reflector Attack)

102 Chapter 5: Leveraging DHCP Weaknesses

The use of this aggregate is appropriate if Activating ARP Inspection (DAI)—see Chapter

6—is deployed because, with DAI, the mapping is anchored and

an antagonist cannot change it. Therefore, the alone way for an antagonist to bluff addition host

is to bluff both the MAC and IP address.

Figure 5-9 IP+MAC Bluffing Attack

In a archetypal IP baffled network, acknowledgment techniques, such as Unicast Reverse Path

Forwarding Analysis (uRPF Check), can appear to the rescue.3 To oversimplify things, uRPF

verifies that the best aisle to adeptness a accustomed antecedent IP abode is through the interface on

which cartage from that IP abode arrived. The analysis is performed by scanning through the

router’s forwarding table. In a LAN, it’s a altered story, because no acquisition table exists.

Traffic forwarding is based on the area of MAC addresses. The LAN analogue of

uRPF is a Cisco affection alleged IP Antecedent Guard.

Like DHCP snooping, IP Antecedent Guard is configured on untrusted ports. Initially, all IP

traffic on the anchorage is blocked except for DHCP packets that are captured by the DHCP

snooping process. The anchorage becomes accessible alone afterwards a applicant accepts a accurate IP abode from

a trusted DHCP server or back a user configures a changeless IP antecedent binding. The switch

controls arrangement admission at the anchorage akin by agency of per-port and VLAN admission control

lists (PVACL). This action restricts applicant IP cartage that matches entries in the bindings

table; IP cartage with a antecedent IP abode added than that in the IP antecedent bounden is filtered

out. This clarification banned a host’s adeptness to advance the arrangement by claiming a acquaintance host’s

IP address. It’s array of a mini per-port IP firewall, if you will!

10.1.1.2

MAC B

10.1.1.3

MAC C

10.1.1.1

MAC A

Received Traffic

Source IP

10.1.1.2

MAC B

Traffic Beatific with IP

10.1.1.2

MAC B Source

• Antagonist Sends

Packets with

Spoofed IP and

MAC Addresses

• Antagonist Looks Like

a Accessory that Is

Already on the

Network

References 103

Two levels of IP cartage clarification can be configured per port:

• Antecedent IP abode filter. IP cartage is filtered based on its antecedent IP address. Alone IP

traffic with a antecedent IP abode that matches the IP antecedent bounden access is permitted.

An IP antecedent abode clarify is afflicted back a new IP antecedent access bounden is created

or deleted on the port. The anchorage PVACL is recalculated and reapplied in the hardware

to reflect the IP antecedent bounden change. By default, if the IP clarify is enabled without

any IP antecedent bounden on the port, a absence PVACL that denies all IP cartage except

DHCP is installed on the port. Similarly, back the IP clarify is disabled, any IP source

filter PVACL is removed from the interface.

• Antecedent IP and MAC abode filter. IP cartage is filtered based on its antecedent IP address

and MAC address. Alone IP cartage whose antecedent IP and MAC addresses bout an IP

source bounden access is permitted. Back IP Antecedent Guard is enabled in IP+MAC

filtering mode, DHCP concern Option 82 charge be enabled. Without DHCP Option

82 abstracts alternate from the DHCP server, the about-face cannot locate the applicant host port

to avant-garde the DHCP server reply. If Option 82 is not used, the DHCP server acknowledgment is

dropped, and the DHCP applicant cannot access an IP address. Also, IP Antecedent Guard

with IP+MAC absolutely disables activating MAC acquirements on the anchorage for DHCP and

ARP packets; otherwise, MAC bluffing could not be prevented. This is why you need

to accredit Option 82 so that the about-face can abide its bridging table with accurate

information for the accessory affiliated to the switch.

Summary

DHCP is a basal architecture block of around all avant-garde LANs. Unfortunately, it leaves much

to be adapted in agreement of security. Vulnerabilities accommodate IP abode basin burnout (which

leads to a DoS attack), bang of artificial DNS and aperture advice to audience (which

leads to MITM attacks). Tools, such as Yersinia and Gobbler, put these able attacks at

the fingertips of anyone accommodating to use them.

Countermeasures depend on the attributes of the attack: They ambit from anchorage aegis to

DHCP snooping. (The closing actuality alone accessible on assertive switches.) DHCP concern is

also the base for added avant-garde Cisco about-face aegis features: IP Antecedent Guard and DAI

(see Chapter 6).

References

1 Jones, Steven. The Gobbler. A apparatus to analysis DHCP networks. © 2003.

http://www.networkpenetration.com.

2 http://www.networkworkpenetration.com/gobbler.html.

3 Unicast RPF Check. http://www.cisco.com/warp/public/732/Tech/security/docs/urpf.pdf.