Introduction: DHCP (Dynamic Host Configuration Protocol) is a crucial component of network infrastructure that dynamically assigns IP addresses to devices. However, DHCP spoofing poses a serious security threat, allowing attackers to intercept and manipulate network traffic. In this article, we will explore DHCP spoofing in detail, provide examples, and discuss effective security measures to mitigate this threat. We will also include a script for configuring security measures on Cisco switches and highlight some lesser-known aspects of DHCP spoofing.
Understanding DHCP Spoofing: DHCP spoofing occurs when an attacker impersonates a legitimate DHCP server and responds to DHCP requests from network devices. By providing false DHCP lease information, the attacker can redirect traffic, perform man-in-the-middle attacks, or launch various other malicious activities. Let’s consider an example to illustrate this:
Example Scenario: Suppose there is a network with a legitimate DHCP server (192.168.1.100) and an attacker’s device (192.168.1.200) attempting DHCP spoofing. When a client device (e.g., Laptop A) sends a DHCP request, the attacker intercepts it, responds with a false DHCP offer, and assigns Laptop A an IP address (e.g., 192.168.1.150) that belongs to the attacker’s subnet.
Security Measures to Mitigate DHCP Spoofing:
1.DHCP Snooping:
- Enable DHCP snooping on the switch to validate DHCP messages exchanged between clients and servers.
- Configure trusted interfaces (where legitimate DHCP servers are connected) and untrusted interfaces (where clients are connected) to enforce DHCP message validation.
Example script (Cisco Catalyst switch):
enable
configure terminal
ip dhcp snooping
ip dhcp snooping vlan <vlan_id>
interface GigabitEthernet1/0/1
ip dhcp snooping trust
interface range GigabitEthernet1/0/2-24
ip dhcp snooping
2.Dynamic ARP Inspection (DAI):
- Enable DAI to validate Address Resolution Protocol (ARP) requests and prevent ARP spoofing, which is often used in conjunction with DHCP spoofing.
- Configure trusted interfaces (connected to legitimate DHCP servers) and enable DAI on untrusted interfaces (connected to clients).
Example script (Cisco Catalyst switch):
enable
configure terminal
ip arp inspection vlan <vlan_id>
interface GigabitEthernet1/0/1
ip arp inspection trust
interface range GigabitEthernet1/0/2-24
ip arp inspection
3.Port Security:
- Enable port security to restrict MAC addresses allowed on each switch port.
- Set the maximum number of MAC addresses per port and define the action to be taken when a violation occurs (e.g., shutdown the port).
Example script (Cisco Catalyst switch):
enable
configure terminal
interface GigabitEthernet1/0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
Rare Notes on DHCP Spoofing:
- DHCP Starvation: Another form of DHCP attack where an attacker floods the DHCP server with numerous DHCP requests, depleting the available IP address pool.
- Rogue DHCP Servers: Attackers can deploy unauthorized DHCP servers on the network, tricking clients into obtaining IP addresses from them.
- DHCPv6 Spoofing: DHCPv6, used for IPv6 address assignment, is also vulnerable to spoofing attacks, and similar security measures should be implemented.
Conclusion: DHCP spoofing presents a significant security risk to networks, allowing attackers