Difference between revisions of "DHCP spoof attack"
From Teknologisk videncenter
m (→Show command) |
m |
||
| Line 2: | Line 2: | ||
= Protecting against DHCP spoof attack = | = Protecting against DHCP spoof attack = | ||
On the ''access'' switches you can protect against spoofing | On the ''access'' switches you can protect against spoofing | ||
| − | < | + | <source lang="cli"> |
ip dhcp spoofing | ip dhcp spoofing | ||
interface GigabitEthernet0/1 | interface GigabitEthernet0/1 | ||
description Trunk to Distribution layer and DHCP server | description Trunk to Distribution layer and DHCP server | ||
ip dhcp snooping trust | ip dhcp snooping trust | ||
| − | </ | + | </source> |
= Show command = | = Show command = | ||
| − | < | + | <source lang="cli"> |
| − | Switch# show ip dhcp snooping | + | Switch# <input>show ip dhcp snooping</input> |
Switch DHCP snooping is enabled | Switch DHCP snooping is enabled | ||
DHCP Snooping is configured on the following VLANs: | DHCP Snooping is configured on the following VLANs: | ||
| Line 20: | Line 20: | ||
FastEthernet0/2 no 20 | FastEthernet0/2 no 20 | ||
GigabitEthernet0/1 yes none | GigabitEthernet0/1 yes none | ||
| − | </ | + | </source> |
*See example [[Netband Project - DHCP Snooping]] | *See example [[Netband Project - DHCP Snooping]] | ||
*See hackipedia [http://www.hakipedia.com/index.php/DHCP_Starvation DHCP_Starvation] | *See hackipedia [http://www.hakipedia.com/index.php/DHCP_Starvation DHCP_Starvation] | ||
| + | {{#css: | ||
| + | pre { font-family: Lucida Console; font-weight: bold; font-size: 14px; color: #00FF00; background: black; margin: 10px 50px; width: 800px; line-height: 200%; overflow: auto;} | ||
| + | }} | ||
[[Category:Network]][[Category:Security]][[Category:CCNP]][[Category:CCNP3]] | [[Category:Network]][[Category:Security]][[Category:CCNP]][[Category:CCNP3]] | ||
Revision as of 18:38, 2 July 2009
A DHCP Spoof attack is a illegal DHCP server setup in a LAN environment which configures the clients with wrong IP information. The illegal DHCP server can configure the clients with it self as the default gateway, in which case all non-local traffic will be sent to the illegal DHCP server where the intruder can inspect or alter the packets before they are sent on to the real gateway. this is known as a man in the middle attack.
Protecting against DHCP spoof attack
On the access switches you can protect against spoofing
ip dhcp spoofing
interface GigabitEthernet0/1
description Trunk to Distribution layer and DHCP server
ip dhcp snooping trustShow command
Switch# <input>show ip dhcp snooping</input>
Switch DHCP snooping is enabled
DHCP Snooping is configured on the following VLANs:
10 30-40 100 200-220
Insertion of option 82 information is enabled
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet0/1 no 20
FastEthernet0/2 no 20
GigabitEthernet0/1 yes none- See example Netband Project - DHCP Snooping
- See hackipedia DHCP_Starvation