Today we will cover two important topics: DHCP Snooping and "non-default" Native VLANs. Before proceeding to the lesson, I invite you to visit our other YouTube channel, where you can watch a video on how to improve your memory. I recommend that you subscribe to this channel, as there we post a lot of useful tips for self-improvement.
This lesson is devoted to the study of subsections 1.7b and 1.7c of the ICND2 topic. Before proceeding with DHCP Snooping, let's recall some points from the previous lessons. If I'm not mistaken, we learned about DHCP in Day 6 and Day 24. There were discussed important issues regarding the assignment of IP addresses by the DHCP server and the exchange of appropriate messages.
Typically, when an End User enters the network, it sends a broadcast request to the network that all network devices "hear". If it is directly connected to a DHCP server, then the request goes directly to the server. If there are transmission devices in the network - routers and switches - then the request to the server passes through them. Having received the request, the DHCP server responds to the user, he sends him a request for an IP address, after which the server issues such an address to the user's device. This is how the process of obtaining an IP address occurs under normal conditions. According to the example in the diagram, End User will receive the address 192.168.10.10 and the gateway address 192.168.10.1. After that, the user will be able to access the Internet through this gateway or communicate with other network devices.
Suppose that in addition to a real DHCP server, there is a rogue DHCP server on the network, that is, an attacker simply installs a DHCP server on his computer. In this case, the user, having entered the network, sends a broadcast message in the same way, which the router and switch will forward to the real server.
However, the rogue server also βlistensβ on the network, and, having received a broadcast message, will respond to the user with its offer instead of the real DHCP server. Having received it, the user will give his consent, as a result of which he will receive an IP address from the attacker 192.168.10.2 and a gateway address 192.168.10.95.
The process of obtaining an IP address is abbreviated as DORA and consists of 4 stages: Discovery, Offer, Request and Acknowledgment. As you can see, the attacker will give the device a legal IP address that is in the available range of network addresses, but instead of the real gateway address 192.168.10.1, they will βslipβ it a fake address 192.168.10.95, that is, the address of their own computer.
After that, all end user traffic directed to the Internet will pass through the attacker's computer. The attacker will redirect it further, and the user will not feel any difference with this method of communication, since he will still be able to access the Internet.
In the same way, reverse traffic from the Internet will come to the user through the attacker's computer. This is what is commonly called a Man in the Middle (MiM) attack. All user traffic will pass through the hacker's computer, which will be able to read everything it sends or receives. This is one type of attack that can take place on DHCP networks.
The second type of attack is called Denial of Service (DoS). What is happening? The hacker's computer no longer acts as a DHCP server, it is now just an attacking device. It sends a Discovery Request to the real DHCP server and receives an Offer message in response, then sends a Request to the server and receives an IP address from it. The attacker's computer does this every few milliseconds, each time getting a new IP address.
Depending on the settings, a real DHCP server has a pool of hundreds or several hundred vacant IP addresses. The hacker's computer will receive IP addresses .1, .2, .3 and so on until the address pool is completely exhausted. After that, the DHCP server will not be able to provide IP addresses to new clients on the network. If a new user enters the network, he will not be able to get a free IP address. That's the point of a DoS attack on a DHCP server: to deprive it of its ability to give out IP addresses to new users.
To counter such attacks, the concept of DHCP Snooping is used. This is an OSI layer XNUMX feature that acts like an ACL and only works on switches. To understand DHCP Snooping, two concepts need to be considered: Trusted switch ports and Untrusted untrusted ports for other network devices.
Trusted ports let through any type of DHCP messages. Untrusted ports are ports to which clients are connected, and DHCP Snooping makes it so that any DHCP messages coming from these ports will be dropped.
If we recall the DORA process, then the D message comes from the client to the server, and the O message comes from the server to the client. Next, message R is sent from the client to the server, and the server sends message A to the client.
Messages D and R from insecure ports are accepted, and messages like O and A are discarded. When DHCP Snooping is enabled, all switch ports are considered insecure by default. This function can be used both for the switch as a whole and for individual VLANs. For example, if VLAN10 is connected to a port, you can enable this feature only for VLAN10, and then its port will become untrusted.
You, as a system administrator, when enabling DHCP Snooping, will have to go into the switch settings and configure the ports in such a way that only ports to which devices like a server are connected are considered untrusted. This refers to any type of server, not just DHCP.
For example, if another switch, router, or real DHCP server is connected to the port, then this port is configured as trusted. The rest of the switch ports to which end user devices or wireless access points are connected must be configured as insecure. Therefore, any access point type device that users connect to connects to the switch through an untrusted port.
If the attacker's computer sends messages like O and A to the switch, they will be blocked, that is, such traffic will not be able to pass through an untrusted port. This is how DHCP Snooping prevents the types of attacks discussed above.
In addition, DHCP snooping creates DHCP binding tables. After the client receives an IP address from the server, this address, along with the MAC address of the device that received it, will be entered in the DHCP Snooping table. These two characteristics will bind the insecure port to which the client is connected.
This helps, for example, to prevent a DoS attack. If a client with a given MAC address has already obtained an IP address, why would it require a new IP address? In this case, any attempt at such activity will be prevented immediately after checking the entry in the table.
The next thing we need to discuss is Nondefault, or βnon-defaultβ Native VLANs. We have repeatedly touched on the topic of VLANs, devoting 4 video lessons to these networks. If you have forgotten what it is, I advise you to review these lessons.
We know that in Cisco switches, the default Native VLAN is VLAN1. There are attacks called VLAN Hopping. Suppose that the computer in the diagram is connected to the first switch by the default native VLAN1, and the last switch is connected to the computer by VLAN10. A trunk is organized between the switches.
Usually, when traffic from the first computer comes to the switch, it knows that the port to which this computer is connected is part of VLAN1. Then this traffic enters the trunk between the two switches, while the first switch thinks like this: βthis traffic came from the Native VLAN, so I donβt need to tag it,β and forwards untagged traffic through the trunk that arrives at the second switch.
Switch 2, having received untagged traffic, thinks like this: "since this traffic is untagged, it means that it belongs to VLAN1, so I cannot send it over VLAN10." As a result, traffic sent by the first computer cannot reach the second computer.
In fact, this is how it should happen - VLAN1 traffic should not get into the VLAN10 network. Now let's imagine that there is an attacker behind the first computer, who creates a frame with the VLAN10 tag and sends it to the switch. If you remember how VLAN works, then you know that if tagged traffic reaches the switch, it does nothing with the frame, but simply passes it further along the trunk. As a result, the second switch will receive traffic with a tag that was created by the attacker, and not by the first switch.
This means that you are replacing the Native VLAN with something other than VLAN1.
Since the second switch does not know who created the VLAN10 tag, it simply sends traffic to the second computer. This is how a VLAN Hopping attack occurs, when an attacker penetrates a network that was originally inaccessible to him.
To prevent such attacks, you need to create Random VLANs, or random VLANs, such as VLAN999, VLAN666, VLAN777, etc., which cannot be used by an attacker at all. At the same time, we go to the trunk ports of the switches and configure them to work, for example, with Native VLAN666. In this case, we change the Native VLAN for trunk ports from VLAN1 to VLAN66, that is, we use any network other than VLAN1 as the Native VLAN.
The ports on both sides of the trunk must be configured to the same VLAN, otherwise we will get a VLAN number mismatch error.
After such a setting, if a hacker decides to carry out a VLAN Hopping attack, he will not succeed, because native VLAN1 is not assigned to any of the trunk ports of the switches. This is the method of protecting against attacks by creating non-default native VLANs.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com