Cisco CCIE Security 350-701 Topic: L2-Security Advanced Part 2
December 16, 2022

6. DHCP Spoofing Attack – DHCP Spoofing

In this video, we’ll talk about what a Misaddress proofing attack is and generally how it happens, how the port security feature is going to be used, and how it’s going to provide this kind of attack. That’s something we are going to see here. The first thing a Mac address proofing attack is like is that, like normally, when the user sends a request, the attacker is going to provide false Mac address information, which is going to introduce some man-in-the-middle attacks. So let’s take an example. In my scenario, I have a user, a user A, who is using the Mac address of A, and there’s another user, B.

And these two particular users are trying to communicate with each other. Now, in general, whenever a switch generates a request, the switch is going to update the information. The Mac table and his user A are connecting on port number one, and user B is also connecting on port number two. So we got an entry on ports one and two with the Mac addresses A and B. Now there’s an attacker in the land, and he’s possibly connecting on port number ten, and the attacker is attempting to provide incorrect information. Like in this scenario, the default communication goes from A to B, where the source Mac address will be A and the destination Mac address will be B. The attacker is now going to pretend to be a B. Now he’s going to say that the normal Mac address is X, which is the Mac address of the attacker. The attacker is going to send a request, saying that he is the user who is supposed to communicate. Now the switch is going to update the entry on the Mac table.

Maybe it will remove port number two and add port number 10. So the normal communication, which is supposed to go directly from port one to port two, will go to the attacker, and the attacker will send back to the B saying that he is A and he is B. Now, the attacker will change his Mac address and password to A and B, respectively, and will communicate with A and send information to X, assuming that this is B. The attacker will then change the Mac address back to A and send the information to B again. So here is the actual traffic that is supposed to flow directly between these two users, a and b. It’s not going directly; it’s going to the attacker, who then sends it back to B here. Now we call this a man-in-the-middle attack, where the attacker is going to introduce some kind of man-in-the-middle attack where the attacker can see all the information and can extract all the communication between these two devices. This is now known as a “Mac spoofing attack” or “Macaddress spoofing attack,” in which an attacker provides incorrect Mac address information and pretends to be someone in the network, which he can do by using packet capturing tools. He can find the valid Mac addresses and is going to pretend to be someone. Now, how can we overcome this kind of attack? Now, to overcome this kind of attack, we can use a feature called port security. Again, the same feature that we discussed previously is available.

Now, in that port’s security, what I can do is manually bind the Mac address to specific ports. We can specifically bind the Mac address to a port number. So let’s take an example. These are the correct entries for ports 1–3. If the traffic is received from the Mac address that is binding the port number, it’s going to accept the traffic. If the traffic is received with the Mac address, which is bound to the same port, it’s going to accept the traffic. And you can see the Mac address. Whatever is bound for here will accept the traffic. But if a particular port number is 4, in my scenario, the actual binding of the Mac address is BB. BBB. And then we did the binding with this Mac address. And if it receives any other Mac address that is not part of the binding or that is not bound, it’s going to simply drop that particular traffic. Now, there’s something we call “port security,” where we can add an additional feature called “binding the Mac addresses.” We can link the mac address to specific port numbers. If that particular port receives traffic with that particular bound Mac address, then only it is going to accept the traffic.

Now, in this way, we can prevent these ARP spoofing attacks, because if it receives any unauthorized Mac address that is not part of a binding, it is going to simply drop that particular traffic. Now, to make this possible, we can use some port security features. Again, I can define the same configurations that we discussed. We can define a maximum of two Mac addresses, let’s say. And we can either do the manual binding, in which I define what a port is, say port number one. And I can define what Mac address should be learned on port number one. So I can say that on port number one, I should learn only the Mac address with AA and AB. So that means I’m defining the maximum value as two. So two different Mac addresses are allowed on port number one. And if it learns any other Mac address besides these two, let’s say I’m listening with XY. In that case, it’s not going to accept the traffic from this particular port.

And, according to the default violation rule, if I say shut down, it will simply disable the port, or we can use a dynamic binding, something called the “Sticky Option,” where we can manually define, like sticky. Now, “sticky” is an option that will do automatic binding. So let’s say I’m defining the macro Mac address as two. And by default, on port number one, there are no Mac entries. Because those are dynamic, they will be removed automatically. So if it learns any Mac address other than AB for the first time, it’s going to manually bind this Mac. And if it learns any other Mac address, AC, it’s going to bind on port number one. So that means every time a new Mac address is learned on that particular port, it will be automatically bound to that particular port number one. And, in my scenario, if it learns any other Mac address, it will learn the third Mac address as the default violation.

The maximum value is two. It’s going to allow only two Mac addresses to be bound. And this is something that is dynamically bound. We don’t need to specifically say “Macaddress” and then type the Mac address. If you’re doing it manually, we need to know the Mac address, and then we can say AB and then AC in two different lines. So instead of doing it manually, we can also do the binding automatically by using the sticky option. Now, Port Security is going to prevent the Misaddress spoofing attack, where an attacker can spoof an invalid or any other Mac address. And what we can do is overcome that Mac address poaching attack by using a feature called Port Security, where we can manually pin the Mac addresses on those particular ports.

7. DHCP Snooping – Configuration

In this video, we’ll see the verification of the DHCP snooping feature. Now, before we get into the actual lab, let me explain to you the basic setup of the lab and what we are doing here. Now in this lab, we are going to configure the DSCP snooping feature on the switch. And this particular switch is linked to two distinct computers. They are, in fact, connecting to the router on port 1, which serves as my DHCP server. And then I also have a rogue DHCP server here. Now, I want to ensure that the client only gets the IP addresses from the valid DHCP server that is on port number one. And what we are going to do is enable DHCP snooping, and we are going to configure this particular port as a trusted port. So that will ensure that only this particular port is going to offer the DHCP messages. So that’s something we are going to see.

Now, if you go to the command line of the switch here on the switch, let me go to the command line here; I already have a VLAN 10 created. So I’m going to make all of these ports Port Number 1, Port Number 2, and Port Number 3, just like the ones in VLAN 10. In fact, I got port number five. Also, port number five is connecting to my PC from where I’m accessing this switch wire number 10. So, I already have these ports in the VLAN, and this basic set of configurations is already done. If you just verify this configuration, I have configured the IP addresses as per the diagram. The DSCP server has an IP address of 192168-100, the same as the switch (1926-6815).

And the IP address of the rogue DHCP server is 192-1681 200.So I’m connecting to a network here. And these are the static IP addresses that I am assigning to these particular devices. And I added another router, router three, which serves as my DHCP client. And I want to ensure that this client gets an IP address automatically from the valid DHCP server. And this is already something if you go with the configuration. I did all this configuration, all the four ports—port number one, port number two, port number three—and there’s port number five also, which is contained on my host from where I’m accessing via telnet. They are all contained within the same VLAN tin. And then I enable the Port Fast feature just to speed up the convergence so that it can bypass the listening and learning stages. That’s the reason I’m enabling the port fast feature and all the ports are in the “not shut down” state. And I put all of the remaining ports that I’m not using in this state.

Now, the first thing we’ll do is configure the router. The router, which will act as a DHCP server, will configure DSCP before we enable DHCP snooping. And then we will verify whether this DHCP server is providing an IP address to the client or not. So let’s go to the router one command line on the router one. So the router’s one IP address is 109 216-0110.This is my DHCP server. And the DSCP server will configure the pool’s DHCP pool CCI. And I’m using a network in the range of 192 one, six, eight, or one dot networks with a slash 24 subnet mask. And then I’m going to say the router is 109216-8110, and I’m not going with any other configurations. So I’m just going with the basic DSCP configurations, like one dot network, and then 1100 is the gateway. Now the next thing is that we’ll verify the same thing on the client side. Let’s go to the client for verification. Before I continue, if you want to look at the pool configurations, you can do so here. Now I have my client here. Let me log into the client here. This is actually via console.

This is my DHCP client, which is actually not a router server. So I’ve got a client here. Let me change the host name. Now, already on the client side, I got a device just a minute ago; let me check. So I actually got my console connection on the other device. So this is my client, which is connected to router three. And right now, router three is connected to port zero by zero, with no IP address configured. I’m going to go straight to the 0 by 0 interface. I’ll simply say IP address DHCP, and then I’ll put the port in a non-shutdown state. Now, once I put the board in a non-shutdown state, I should expect my DHCP client to get an IP address from the server. So let me go to the switch and verify whether port number three, which I’m using interface F zero for, is not the HTP server I need to get into the switch using interface F zero by three. The interface F zero by three is in a shut-down state here. As a result, I must state that there will be no shutdown. That’s a problem. The port on the switch is in a shut-down state.

Now I should check to see if a portfolio is already enabled. I expect the client should get an IP address. Now the interface is up. Now you should get an IP address from the server. Now you can see a console message and a log message saying that the device has been assigned an IP address. Now, this is something very basic about DSCP verification, which we did in our DSCP topic as well. But our main intention is to ensure that DSCP snooping has to work. The next step is to enable DSCP snooping on the switch to ensure that the DSCP offer messages only come from trusted ports. So the first command we’ll issue is to enable DHCP snooping, and then we’ll enable it on VLAN 10. And I want this DSCP snooping database to be stored in the flash with a file name of “DSCP TXT.” So let’s go to the command line of the switch. Now on the switch, the first command we need to set is IP DSCP snooping.

And then I’m going to enable the DSCP snooping for VLAN 10, if you want; for other VLANs, we can also enable it, and then I’m going to create the DSCP snooping database. And then I’m going to store the database in a flash with some name like “DHCP TXT.” Now, once you enable DHCP, if you verify, it will show IP DHCP snooping. Now, I don’t see any of the trusted ports here, but you can see that DSCP snooping is enabled, but there are no trusted ports here. Let’s try to verify after we enable DSCP snooping, and if I go to my client, I’ll try to release the IPRs. So I’ll try to say “release DHCP faster than zero by zero.” It will now release the IP address that it has automatically assigned to the interface. And then I’m going to go zero by zero. I’ll try to shut down the port of the client, and I’ll ask my client to go contact the DSCP server to get an IP address. So once I put the process back into motion downstairs, I should see that the client will not be taking any IP addresses because now the DSCP is active whenever the client is sending a DHCP request message.

So it’s going to discover the DSCP server; it’s going to send a request to the DSCP server, but the DSCP server is trying to offer a message. But what is happening here is that by default, once you enable the DSCP snooping, all the ports will be treated as untrusted ports. So all the ports will be treated as untrusted ports, which means the untrusted ports will not be able to process any DHCP offer messages. Now, what we need to do is ensure that this particular port is configured as a trusted port because from this port we are getting DHCP offer messages. To do so, we must first go to the switch and then add interface zero by one IP DHCP snooping trust. Now, once you add this command, it will only work on this specific port, f zero by one, which I can see when I verify PdccpSnooping. F zero by one is regarded as a trusted port. Now, that means this particular port will be able to forward the DHCP offer messages.

But now there is one more thing we need to do here. By default, whenever you enable DHCP snooping, it is going to also enable DSCP relay information. Now here you can see that if I enable DSCP snooping, it’s going to enable the DSCP Relay Information Option 82. It’s going to insert that DSC pre-lay information option, but it is going to set the default Gia By default, it is going to set its own IP address. But here, it is going to set it to zero. Now, once it’s enabled this DSCP relay option, if you’re using an iOS router as a DSCP server, by default, it’s not going to accept, or in more simple terms, it’s going to reject, the DHCP messages. Now, to fix these things, what we need to do is either disable this option insertion or configure it to trust the information. So that’s something we’ll do later on here; the same thing can be seen here. So by default, the issue is that iOS TSCP servers are going to insert an option that is going to leave the GID address default at zero. So it’s supposed to be some IP address of its own, but it’ll be zero.

Now, to fix this, either we can instruct the DHCP server to trust the information by adding this command: “ipdhcp relay information trust” globally or on the interface specific level, or we can disable the insertion of this option by using a command called “no IPDHCP sloping information option.” Now, in this scenario, I’m going to disable this option because, unless and until you disable it, the DSCP is not going to process the client’s request here because we have enabled the DSCP snooping feature, which automatically enables this DSC brilliant information as well. So I’m getting into the command line here, and what I’ll do is I’ll say IP; the command is IPno IP DSCP Snooping Information Option. So I’m going to disable that. Now, once you’ve disabled it, if I go check on the client side, which is supposed to get an IP address, I’ll try to close the port. So once you shut down the port and then I’ll try to put the port back into its normal shutdown state, I should expect my client to get an IP address from the DSCP server. The interface is up. Once the interface is up, I’m expecting the client to get an IP address.

So I should see some log messages here. Now, we can see here that the client is getting an IP address here.As a result, 192161 from the range The reason for this is that, even though we have enabled DHCP snooping on this switch, this port number, f0101, is considered a trusted port. Now, if you have any rogue DHCP servers connecting to other ports, In that case, by default, this port will be referred to as an untrusted port. So that means it is not going to send those offer messages; it’s going to simply drop their information. This way, we can prevent any roDHCP server in the world from assigning IP addresses to clients. Now, this is a way we can verify, and if you want to verify, we can use some specific Show commands. For example, if I go to the switch’s command line, I can use Schwaipe DHCP snooping. That is one command that is going to show you that the insertion of option 82 is disabled, and then F zero by one is my trusted port. After that, we can use the SchwaipeDHCP snooping binding.

Information I can see that DSCP snooping is binding the Mac address with the respective IP curriculum on port number three, and it belongs to VLAN thin. And then we can also use the Schwaip DSMPP snooping database. The database will now be written in flash by default with a DHCP file. And if you verify Show Flash, you can see that particular file here. DHCP Context This is a file. Now, if you want to add some more verifications, what you can do is add this task to the workbook. You can also enable some debug commands to verify the same. In my scenario, in my lab, what I’m doing is setting up a rogue DHCP server. I’m going to add a rogue DHCP server, and if you disable the DHSCP snooping feature, or the DSCP snooping feature, there’s a chance that this rogue DHCP server will provide some IPRs configuration to the clients. I can try those options in the lab here, where you can configure a rogue DHCP server and the DSCP. Now, if DHCP scoping is enabled, it will not allow this particular DHCP server to provide an IP address to the clients.

So it’s something not allowed here. But if it disables the DHCP sloping feature, then any of these DSCP servers can provide an IP address. I added some multiple tasks to the lab workbook where you can see some rogue DHCP server I configured, and then we can verify on the client side here as well, and then we can go and release the IP address. And there is something I removed from the DHCP here, and once you remove this automatically, the client will make it. So I removed this DHCP server in the next task, and then I disabled this link and also disabled the DHCP server, or the client would get the iPods from this rogue DSCP server. So you can try these options by just disabling the things. So the main intention here in this lab is to verify the DSCP snowing feature once we configure this port as a trusted port, so the clients will only get the iPads from this.

8. DHCP Starvation Attack – Mitigation

Now, DHCP starvation attacks are based on the DHCP server, where the DSCP server is typically configured with a range of IP addresses to be provided, say around 200+ IP addresses configured with a range. Now, the attacker is going to flood the request to the ACP server by spoofing Mac addresses. And every time the request comes, it’s going to spoof with some fake Mac addresses either by using some of the tools or, every time the DSCP server gets a request with a new Mac, it’s going to send out an IP address where the DSCP server may actually use whatever the IP address is given in the range. That could change if the attacker spoofs something with more than 200 mac addresses and all the IPS are assigned to this specific maximum and bound. When a valid host is discovered, it sends a request to the DSCP server. Now, the DSCP server does not have an IP address to assign, so we call this a DSCP starvation attack where the valid host will not be able to get the IP address as there are no addresses left with a DHCP server to assign.

9. ARP Spoofing Attack – DAI

In this video, we’ll talk about dynamic ARP inspection, which is going to prevent ARP spoofing attacks. What is an ARP spoofing attack? First, we’ll talk about ARP spoofing attacks and how they’re going to work, and then we’ll see a solution called Dai Dynamic Art Inspection. Let’s first try to understand ARP spoofing attacks. Now, an ARP spoofing attack is something that is generated based on the ARP messages, or the ARP request and reply messages.

Now, ARP spoofing is something like this: it allows the particular host to spoof the Mac addresses for any specific IPR. Like, take an example in this scenario: there is a target computer source, and the source address is, let’s say, 190 to one six shade one one, and it is supposed to communicate with the router, which is 191-6110. Now, the actual traffic that is coming from one to 100 will go directly from the switch to the router because, now, whenever you are sending a packet from one nine to 1611 and the destination is one to 16110, there is a protocol called ARP. Now that Arp’s protocol is going to resolve the IP to Mac Now, in that scenario, let’s say the Misaddress is AA and AB is the Misaddress of the source and destinations. And the device will send an ARP broadcast request indicating who is 100 and what is the Mac address, and the router will respond with the Mac address, and communication will occur between these two devices based on the Mac address.

Now, ARP is a protocol that will help you resolve the IP to a Mac address in the lamb because the switches will only understand Mac addresses. But when you’re trying to communicate, we generally use IP addresses for communication. Now, this ARP spoofing attack is something that is going to take advantage of this ARP protocol. Now, when a user like here on 1 sends a broadcast request to 10 requesting ARP, there might be an attacker sitting here. Now, the attacker will respond falsely, claiming to be 1100 and that the Mac is addressing something XY.Now, the target company is going to think that this is your gateway, or this is a gateway from where you have to go to an outside network. It’s going to send the traffic back to this user.

And then again, this particular attacker is going to change the source address. He’s going to reply on behalf of this router as well when communication is happening between these two computers. Now, at the source, the gateway, something is sent to the attacker, and the attacker is going to send it back to the router here, and then all the traffic is going through the attacker, and that’s what we call “man in the middle” attacks. Now, because of the false ARP information given by the attacker, the actual traffic that is supposed to go directly between these two users is delayed. It’s not going directly; it’s going via the attacker. Now we call this “poisoned ARP cache” or “ARP spoofing attacks.” Now we want to ensure that the switches have something to implement to ensure that this kind of attack does not happen in your land. Now, to prevent this kind of false ARP information provided by some attacker devices, we can use a solution called “dynamic ARP inspections.” Now, in the case of dynamic ARP inspection, we’ll create special entries from IP to Mac.And this IP-to-Mac information is billed dynamically by the switch. Now the switch is going to keep track of the IP address and the Mac address of that particular device. This binding information can now be based on either DHCP or DNS.There are two different options we have.

So, if you have DHCP running in your network, DHCP will provide the IP address to the clients, and it will also keep track of the Mac address information.So it will check the Mac to IP information based on the DHCP server or if no DHCP server is running in your network.In that case, we can make manual binding entries by using some ARP ACLs. Now there are two different options we can use. We can either use an existing DHCP server or tell the switch if any ARPrequests are coming in on that specific port.I’m asking the switch to check with the DHCP database to see whether the IP address and the macros are the same or not. Alternatively, we can set up some ARP access lists on the switch for verification. Now, two options are available; for the time being, we’ll see both options here, and it’ll build some IP to Mac binding information.Now, once this IP to Mac binding information is done, if any ARP request comes from here, the switch is going to check; it’s going to do something called an inspection. And that inspection is if an ARP request is coming from here; if you’re saying hi to Mac B, if that hacker sends any information, it’s going to check the database and validate the ARP reply.

Now, if it matches the database, which will allow the path traffic, if it matches the database, and if that particular ARP reply does not match the database in that scale, it will simply drop that particular traffic.Now, the switch will validate the source IP and Mac information based on the binding information, which is accomplished via DHSCP or ARP seals.Now that’s how switch is goingto prevent this ARP spoofing attacks.Now, by default, whenever you enable this dynamic ARP inspection, all the ports will be referred to as untrusted ports. Now, when we say “untrusted,” that means each and every port has to go through dynamic ARP inspection checking. So that’s what we call it, as each and every interface will be referred to as untrusted, which means it has to go through a validation or verification of IP to mag information based on the binding database.

Now, if you want to bypass this particular inspection on some specific ports, let’s say in my scenario I have a switch, I have a computer, and I have a server. Maybe I don’t want this particular port to go with dynamic or app inspection. We can configure that particular port as a trusted port. Now, whichever port has been configured as a rusted port will not accept dynamic R inspection verification.So that’s something we can do by using a dai dynamic ARP inspection; it’s going to prevent ARP spoofing attacks and create some IP-to-Mac binding information. Either can be done by a DHCP server, or we can do it manually by using an ARP access list. Now, DA associates the interface with a trusted or untrusted port, and once you configure it by default, it will be referred to as an untrusted port, and untrusted ports have to go through dynamic arc inspection verification, whereas if you configure any specific port as a trusted port, it will bypass the dynamic arc inspection validation.

Now, here, I’m not going to define “in case” if you want to use manual bindings. Now one option is to use DHCP binding information, which is automatically built by the DHCP server. And to make this possible, you just need to have the DHCP snooping feature enabled. And once you enable DHCP snooping, the switch is going to contact the DHCP, and it’s going to validate the IP to Mac information based on the DSCP binding information that has already been created by the DSCP. If you are not using the DSCPserver, we can manually configure an ARP access list, which we call a “manual access list,” in which we can specify the IP addresses of the hosts and the Mac addresses.Every untrusted port will go through this validation. which means if an ARB reply is coming from one source and matches this Mac address, then only it is going to permit that particular traffic. Or else, if it does not match the database, it’s going to simply drop that particular traffic.

And we can implement this ACL for VLAN 10, or VLAN 20, or VLAN 30, whatever the VLAN on the switches is. Now, this is the complete configuration, which is something that we are going to verify in our next videos in the lab in detail. Let me just give you an overview of the configuration. Now we are going to enable the DSCP snooping feature. Now, just for the DSCP binding information, because in large networks, some DSV servers will be used, and the DSCP server will be in charge of providing IP addresses to clients. When it provides the IP address, it is going to keep track of the Mac and the IP addresses given to those particular devices. Now, we need to ensure that if you want DSP binding to work, we need to enable this DHCP snooping feature. And then we can also create some manual entries.

So probably in the lab, we are not going to use any DHCP information here. We’re going to use some manual bindings, so I’ve got two routers connected here and the Macaddresses, as shown in the diagram. Now I’m going to bind so that if any ARP replies come from this one computer and match this Mac address, it has to permit, and I’ll do the same for one and two. And then we need to apply this to the VLANTEN inspection for all the devices in the VLANTEN. And then we are going to filter the traffic, which means anything matching this source IP to Mac information should be permitted. Anything that does not match should be discarded. Now, we can even configure any particular port as a trusted port. By default, all the ports will be untrusted. In my final scenario, I’m going to use a computer to communicate with the rack switch. I want to ensure that in order for telnet to work, this particular port should bypass the dynamic ARP inspection validation. Now, we can go to that interface and simply configure this as a trust. Now, there are two options for making this work. The one thing is, if you don’t want to bypass this, then you need to add this entry to the ARP seal. And if you want to bypass, then you need to configure this port as a trust.

There are two options. We can either bypass the Dai inspection by configuring the port as trusted, or we can manually add the entry, which means that if the entry is present, you can still turn it. So there are two possible solutions we can go with. Now, in my lab scenarios, I’m going with the “trusted” option just to have one more option; we can also confirm it as trusted. So this is something we are going to verify more in detail with some live scenarios. And then for verification, we can use a command called Schwaiparp inspection for Vlant Ten. Now, here you’ll find some information, like the fact that ARP inspection is enabled for VLAN Ten, it’s going to verify the ARP ACL to match, and anything that matches is going to be permitted. And anything not matching is simply going to be denied.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!