Mitigating Spoofing Attacks
dhcp snooping
ip source guard
DAI

.....................

DHCP snooping

When DHCP snooping is enabled,
1
switch ports are categorized as trusted or untrusted
Legitimate DHCP servers can be found on trusted ports
all other hosts sit behind untrusted ports
2
A switch intercepts all DHCP requests coming from untrusted ports before flooding them throughout the VLAN .
3
Any DHCP replies(dhcp offer packet) coming from an untrusted port are discarded .　because they must have come from a rogue DHCP server
the offending switch port automatically is shut down in the Errdisable state
4
DHCP snooping database開始運作

...

啟動DHCP snooping功能
Switch(config)# ip dhcp snooping

指定DHCP snooping要運作的vlan
Switch(config)# ip dhcp snooping vlan < vlan-id >
各參數說明如下
[ vlan < vlan-id [vlan-id]> ] 只在指定vlan下啟動dhcp snooping

在dhcp server的所在port設成trust port
Switch(config-if)# ip dhcp snooping trust
By default, all switch ports are assumed to be untrusted

[option]
to rate-limit DHCP traffic on an untrusted port
Switch(config-if)# ip dhcp snooping limit rate < rate >
rate 指定每秒幾個dhcp packet

ex:
dhcp設定範例
Switch(config)# ip dhcp snooping vlan 104
Switch(config)# interface range fastethernet 0/35 - 36
Switch(config-if)# ip dhcp snooping limit rate 3
Switch(config-if)# interface gigabitethernet 0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config)# ip dhcp snooping

[option]
DHCP option-82
Switch(config)# [no] ip dhcp snooping information option
ps:
this feature is enabled by default
DHCP option-82, the DHCP Relay Agent Information option, which is described in RFC 3046
ps:
1. When a DHCP request is intercepted on an untrusted port
2. the switch adds its own MAC address and the switch port identifier into the option-82 field of the request.
3. The request then is forwarded normally so that it can reach a trusted DHCP server

[option]
指定DHCP snooping binding database儲存於外部位置
Switch(config)# ip dhcp snooping database < locate >
< locate > 可指定儲存在TFTP,FTP,HTTP server
ps:外部位置上需先產生一個空白檔
ps:switch和server需做NTP,以避免switch上的snooping database無法同步到server
ex:
Switch(config)# ip dhcp snooping database tftp://10.10.10.10/database
Switch(config)# ip dhcp snooping database ftp://name:password@10.10.10.11/database

..

display dhcp snooping status
Switch# show ip dhcp snooping [binding]
各參數說明如下
[binding] display all the known DHCP bindings that have been overheard
ps:
# show ip dhcp snooping畫面大致如下
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
104
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/35 no 3
FastEthernet0/36 no 3
GigabitEthernet0/1 yes unlimited

........................................................................................................

ip source guard
可以避免合法使用的IP被其他人盜用
IP Source Guard does this(檢視比對ip,interface,mac) by making use of the "DHCP snooping database" and "static IP source binding entries"
ps:
DHCP snooping是vlan-based
IP source guard是switch ports-based

檢測條件
Packets arriving on a switch port(untrust interface) can be tested for one of the following conditions
The source IP must be identical to the IP
　1.learned by DHCP snooping or a static entry.
　2.A dynamic port ACL is used to filter traffic.
ps:The switch automatically creates this ACL, adds the learned source IP to the ACL, and applies the ACL to the interface where the address is learned.
The source MAC must be identical to the MAC
　1.learned on the switch port and by DHCP snooping.
　2.Port security is used to filter traffic
異常動作:
If the address is something other than the one learned or statically configured,
the switch drops the packet

to configure IP source guard
Switch(config)# ip dhcp snooping
Switch(config-if)# ip verify source [port-security]
只檢查source IP和port的對應
[port-security] 在多檢查source MAC的對應

statically configured IP source binding (mac-ip-interface binding)
Switch(config)# ip source binding < mac > vlan < vlan-id > < ip > interface < interface >
在不使用ip dhcp snooping情況下,可用ip source binding靜態指定

To verify the IP source guard status
Switch# show ip verify source [interface < interface >]

to verify the information contained in the IP source binding database, either learned or statically configured
Switch# show ip source binding [ip] [mac] [dhcp-snooping | static] [interface < interface>] [vlan < vlan-id>]

......................................................................................................................

DAI(Dynamic ARP Inspection)
to help mitigate ARP poisoning or ARP spoofing
DAI works much like DHCP snooping. All switch ports are classified as trusted or untrusted
The switch intercepts and inspects all ARP packets that arrive on an untrusted port(only ingress port)
DAI is supported on access ports, trunk ports, EtherChannel ports, private VLAN ports
ps:預設每一個介面是untrust

When an ARP reply is received on an untrusted port,
1. the switch checks the MAC and IP reported in the reply packet against known and trusted values
2. If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated

gather trusted ARP information from follows
1.statically configured entries
2.dynamic entries in the DHCP snooping database (enable DHCP snooping)

enable DAI on all edge switch
DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
一但其他接在trust port的switch未用DAI,而在底下發動攻擊,the local switch will not inspect ARP packets arriving on trusted ports;

enable DAI
1
Switch(config)# ip dhcp snooping
Switch(config)# ip arp inspection [vlan < vlan-range> ]
[vlan < vlan-range> ] 指定DAI要在那個vlan作用
ps:多個vlan以commas分隔
2
Configure a trusted port
Switch(config-if)# ip arp inspection trust
通常用在連接其他switch的介面
ps:
it will assume that the neighboring switch also is performing DAI on all of its ports in that VLAN

statically configured entries
1
無dhcp下,靜態指定ip-mac binding list
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host < sender-ip> mac host < sender-mac> [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit
2
將list套用在DAI上
Switch(config)# ip arp inspection filter < arp-acl-name > vlan < vlan-range> [static]
各參數說明如下
[static] 若在access-list沒比對到,直接認定為invalid
ps:
When ARP replies are intercepted, match order as follow
1 access list entries.
2 DHCP snooping bindings database

指定DAI的檢查的順序
Switch(config)# ip arp inspection validate < src-mac | dst-mac | ip >
以下至少需設定一個
src-mac: 檢查arp-reply的src-mac
dst-mac: 檢查arp-reply的dst-mac
ip : 檢查arp-request的sender-ip,和所有arp-reply的目標ip

指定每秒可接受的arp packet
Switch(config-if)# ip arp inspection limit rate 10
用來抑制ARP DoS attack(預設為15pps),當超過時會進入error-disable狀態

ps:
離開error-disable狀態
Switch(config)# no errdisable detect cause arp-inspection
ps:
設定error-diabled-recovery時間
Switch(config-if)# errdisable recovery cause arp-inspection interval < sec >
可設定幾秒後自動離開error-disable狀態(預設為300秒)

display DAI status information
Switch# show ip arp inspection

http://www.ringline.com.tw/epaper/forum961101.htm