cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1606
Views
12
Helpful
4
Replies

How to prevent bogus dhcp server from attacking nomal dhcp clients?

MinQuant.Kuo
Level 1
Level 1

HI,all

How to prevent bogus dhcp server in a same vlan with clients needing dhcp service from legal dhcp server connecting to Catlyst 4506

Without disconnecting Ehternet Line physically.

Please refer to attachment.

4 Replies 4

lgijssel
Level 9
Level 9

This will be quite hard to realize when you have a direct layer2 connection between the devices on the segment. Normally, this should not be a problem as the machine is within your administrative domain so you should also be able to contact it's administrator about this.

One solution (the most preferrable one) will be to put the bogus-machine in a different vlan.

Regards,

Leo

mshavrov
Level 1
Level 1

If your clients are Windows 2000/XP, and your DHCP server is Windows 2000/2003 Server, you can try to use DHCP ClassID feature. It provides some kind of "DHCP security" in your environment. I personally never tried it in real life, but I remember it from the MCSE materials.

Other of that there is no way to stop bogus DHCP server from issuing IP addresses. As matter of fact, your PCs will get most of their addresses from bogus DHCP server, since it's "closer" to them and will respond quicker.

If you want to be aware if someone brings DHCP server into your network, you can set up a sniffer in your network, and monitor for "out-of-range" IP addresses. Also you can turn on debugging on your router for "arp requests" and see if someone requests any ARP addresses out or your normal range.

Good luck,

Mike

----

Cisco IP Phone Headset Adapters

http://www.ciscoheadsetadapter.com

hagirebench
Level 1
Level 1

hi,

its posible to defend against this attack with dhcp snooping. but it is only available on a catalyst switch. i see from your figure that the bogusdhcpserver is connected to a hub. but here is the description of dhcp snooping and its commands..

btw you can still configure snooping on the 3550 port(connected to the hub) as "untrusted" to isolate the dhcp attack.

DHCP Snooping is a Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages while untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP Option 82, where switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

Untrusted ports are those not explicitly configured as trusted. A DHCP Binding Table is built for untrusted ports. Each entry contains client MAC address, IP address, lease time, binding type, VLAN number and Port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP Snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.

Commands:

Switch(config)#ip dhcp snooping

-enables DHCP snooping globally

Switch(config-if)#ip dhcp snooping trust

-configures an interface as trusted

rgds,

ben

HI,Ben

I will configure dhcp snooping on Catlyst 3550 if necessary,because that is the environment of my customer's,Thanks a lot.

Regards!

MinQuant Kuo

Review Cisco Networking for a $25 gift card