In the network switching, you can easily configure DHCP snooping to prevent DHCP spoofing attack and DHCP starvation attack. Before you mitigating DHCP attacks in the network, you need to know about DHCP functions and features. The DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default gateway, DNS servers, and more to clients. The sequence of DHCP message exchange between client and server.

Types of DHCP Attacks

There are some DHCP attacks that hackers can use to hack your network systems and access the information. The DHCP Spoofing attack and the DHCP Starvation attack.

1. DHCP Spoofing Attack

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:

• Wrong default gateway – Attacker provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.

• Wrong DNS server – Attacker provides an incorrect DNS server address pointing the user to a nefarious website.

• Wrong IP address – Attacker provides an invalid default gateway IP address and creates a DoS attack on the DHCP client.

2. DHCP Starvation Attack

Another DHCP attack is the DHCP starvation attack. The goal of this attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler.

Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.

Mitigating DHCP Attacks

It is easy to mitigate DHCP starvation attacks using port security. However, mitigating DHCP spoofing attacks requires more protection.

Related articles: Configure DHCP in Cisco Router and Windows Server

For instance, Gobbler uses a unique MAC address for each DHCP request and port security. Port security could be configured to mitigate this. However, Gobbler can also be configured to use the same interface MAC address with a different hardware address for every request. This would render port security ineffective.

DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps mitigate against DHCP starvation attacks by rate limiting the number of DHCP discovery messages that an untrusted port can receive. DHCP snooping builds and maintains a DHCP snooping binding database that the switch can use to filter DHCP messages from untrusted sources. The DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each untrusted switchport or interface.

Note: In a large network, the DHCP binding table may take time to build after it is enabled. For example, it could take 2 days for DHCP snooping to complete the table if DHCP lease time is 4 days.

1. DHCP Snooping 

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

• Validates DHCP messages received from untrusted sources and filters out invalid messages.
• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. Mitigate VLAN attack.

Configure DHCP Snooping to Mitigate DHCP Attack

When you configure DHCP snooping or enabling on an interface or VLAN, the switch receives a packet on an untrusted port, the switch compares the source packet information with that held in the DHCP snooping binding table.

• Trusted DHCP ports – Only ports connecting to upstream DHCP servers should be trusted. These ports that are expected to reply with DHCP offer and DHCP Ack messages. Trusted ports must be explicitly identified in the configuration.
• Untrusted ports – These ports connect to hosts that should not be providing DHCP server messages. By default, all switch ports are untrusted.

The general rule when configuring DHCP snooping is to “trust the port and enable DHCP snooping by VLAN”. Therefore, the following steps should be used to enable or configure DHCP snooping:

• Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.

• Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.

• Step 3. Enable DHCP snooping by VLAN, or by a range of VLANs.

Configuring a Maximum Number of MAC Addresses

S1(config)# ip dhcp snooping
S1(config)#
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)#  
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 4  
S1(config-if-range)# exit
S1(config)#
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)#

Try to displays the resulting output of the “show ip dhcp snooping” privileged EXEC command.

S1# show ip dhcp snooping

Try to displays the resulting output of the “show ip dhcp snooping binding” command. Another way to verify is with the “show ip dhcp snooping database” command.

S1# show ip dhcp snooping binding

Untrusted ports should also rate limit the number of DHCP discovery messages they can receive per second using the ip dhcp snooping limit rate interface configuration command.

Note: Rate limiting further mitigates the risk of DHCP starvation attacks.

Similar mitigation techniques are available for DHCPv6 and IPv6 clients. Because IPv6 devices can also receive their addressing information from the router’s Router Advertisement (RA) message, there are also mitigation solutions to prevent any rogue RA messages.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Source: Cisco Configure DHCP Snooping

The post How to Configure DHCP Snooping in Cisco Switches? appeared first on TECHNIG.

Looking for CCNA Security Exam Answers? Here you can test and review all updated CCNA Security Chapter 3 exam questions and answers. It is just for educational purposes.

These questions are the latest CCNA security chapter 3 exam questions with answers. Please share the new questions through the comment section. We will reply it with the correct answer.

CCNA Security Chapter 3 Exam Questions and Answers

The configuration is using the default ports for a Cisco router.

The configuration will not be active until it is saved and Rtr1 is rebooted.

The configuration of the ports requires 1812 be used for the authentication and the authorization ports.

The ports configured for Server1 on the router must be identical to those configured on the RADIUS server.

The local username database will provide a backup for authentication in the event the ACS servers become unreachable.

A local username database is required when configuring authentication using ACS servers.

Because ACS servers only support remote user access, local users can only authenticate using a local username database.

Without a local username database, the router will require successful authentication with each ACS server.

debug tacacs accounting

debug aaa authentication

debug tacacs events

debug tacacs

Windows Server only supports AAA using TACACS.

Windows Server uses its own Active Directory (AD) controller for authentication and authorization.

Windows Server cannot be used as an AAA server.

Windows Server requires more Cisco IOS commands to configure.

MD5

RADIUS

SSH

TACACS+

Implement Cisco Secure Access Control System (ACS) only.

RADIUS and TACACS+ servers cannot be supported by a single solution.

Implement both a local database and Cisco Secure Access Control System (ACS).

Implement a local database.

accessibility

authorization

authentication

auditing

accounting

The login succeeds, even if all methods return an error.

It uses the enable password for authentication.

It accepts a locally configured username, regardless of case.

It defaults to the vty line password for authentication.

It uses less network bandwidth.

It requires a login and password combination on the console, vty lines, and aux ports.

It provides a fallback authentication method if the administrator forgets the username or password.

It specifies a different password for each line or port.

accounting

accessibility

authentication

authorization

Accounting can only be enabled for network connections.

Users are not required to be authenticated before AAA accounting logs their activities on the network.

Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.

Possible triggers for the aaa accounting exec default command include start-stop and stop-only.

Use the login delay command for authentication attempts.

Use the none keyword when configuring the authentication method list.

Use the aaa local authentication attempts max-fail global configuration mode command with a higher number of acceptable failures.

Use the login local command for authenticating user access.

the switch that is controlling network access

the client that is requesting authentication

the router that is serving as the default gateway

the authentication server that is performing client authentication

password encryption

separate authentication and authorization processes

802.1X support

SIP support

utilization of transport layer protocols

The authorization feature enhances network performance.

User access is restricted to certain services.

A user must be identified before network access is granted.

User actions are recorded for use in audits and troubleshooting events.

The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.

The locked-out user failed authentication.

The locked-out user stays locked out until the interface is shut down then re-enabled.

The locked-out user should have used the username admin and password Str0ngPa55w0rd.

The locked-out user is locked out for 10 minutes by default.

true

false

local AAA

server-based AAA over TACACS+

server-based AAA

local AAA over TACACS+

local AAA over RADIUS

server-based AAA over RADIUS

Use the show aaa user command.

Use the show aaa local user lockout command .

Use the show aaa sessions command .

Use the show running-configuration command .

That’s all the latest CCNA Security chapter 3 exam questions and answers. Please share the new CCNA Security exam questions via the comment section.

Related Questions:

CCNA security chapter 3 exam answers 2018
CCNA security 2.0 hands-on skills exam
CCNA security chapter 3 exam answers
CCNA Security exam questions and answers pdf
CCNA security v2.0 exam answers
CCNA security final exam packet tracer
Which solution supports aaa for both radius and tacacs+ servers?
What is a characteristic of aaa accounting?
CCNA security final exam answers 2018
CCNA security netacad

The post CCNA Security Chapter 3 Exam Questions With Answers – Updated appeared first on TECHNIG.