Mitigating Spoofing Attacks dhcp snooping ip source guard DAI ..................... DHCP snooping When DHCP snooping is enabled, 1 switch ports are categorized as trusted or untrusted Legitimate DHCP servers can be found on trusted ports all other hosts sit behind untrusted ports 2 A switch intercepts all DHCP requests coming from untrusted ports before flooding them throughout the VLAN . 3 Any DHCP replies(dhcp offer packet) coming from an untrusted port are discarded . because they must have come from a rogue DHCP server the offending switch port automatically is shut down in the Errdisable state 4 DHCP snooping database開始運作 ... 啟動DHCP snooping功能 Switch(config)# ip dhcp snooping 指定DHCP snooping要運作的vlan Switch(config)# ip dhcp snooping vlan < vlan-id > 各參數說明如下 [ vlan < vlan-id [vlan-id]> ] 只在指定vlan下啟動dhcp snooping 在dhcp server的所在port設成trust port Switch(config-if)# ip dhcp snooping trust By default, all switch ports are assumed to be untrusted [option] to rate-limit DHCP traffic on an untrusted port Switch(config-if)# ip dhcp snooping limit rate < rate > rate 指定每秒幾個dhcp packet ex: dhcp設定範例 Switch(config)# ip dhcp snooping vlan 104 Switch(config)# interface range fastethernet 0/35 - 36 Switch(config-if)# ip dhcp snooping limit rate 3 Switch(config-if)# interface gigabitethernet 0/1 Switch(config-if)# ip dhcp snooping trust Switch(config)# ip dhcp snooping [option] DHCP option-82 Switch(config)# [no] ip dhcp snooping information option ps: this feature is enabled by default DHCP option-82, the DHCP Relay Agent Information option, which is described in RFC 3046 ps: 1. When a DHCP request is intercepted on an untrusted port 2. the switch adds its own MAC address and the switch port identifier into the option-82 field of the request. 3. The request then is forwarded normally so that it can reach a trusted DHCP server
[option] 指定DHCP snooping binding database儲存於外部位置 Switch(config)# ip dhcp snooping database < locate > < locate > 可指定儲存在TFTP,FTP,HTTP server ps:外部位置上需先產生一個空白檔 ps:switch和server需做NTP,以避免switch上的snooping database無法同步到server ex: Switch(config)# ip dhcp snooping database tftp://10.10.10.10/database Switch(config)# ip dhcp snooping database ftp://name:password@10.10.10.11/database .. display dhcp snooping status Switch# show ip dhcp snooping [binding] 各參數說明如下 [binding] display all the known DHCP bindings that have been overheard ps: # show ip dhcp snooping畫面大致如下 Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 104 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet0/35 no 3 FastEthernet0/36 no 3 GigabitEthernet0/1 yes unlimited ........................................................................................................ ip source guard 可以避免合法使用的IP被其他人盜用 IP Source Guard does this(檢視比對ip,interface,mac) by making use of the "DHCP snooping database" and "static IP source binding entries" ps: DHCP snooping是vlan-based IP source guard是switch ports-based 檢測條件 Packets arriving on a switch port(untrust interface) can be tested for one of the following conditions The source IP must be identical to the IP 1.learned by DHCP snooping or a static entry. 2.A dynamic port ACL is used to filter traffic. ps:The switch automatically creates this ACL, adds the learned source IP to the ACL, and applies the ACL to the interface where the address is learned. The source MAC must be identical to the MAC 1.learned on the switch port and by DHCP snooping. 2.Port security is used to filter traffic 異常動作: If the address is something other than the one learned or statically configured, the switch drops the packet to configure IP source guard Switch(config)# ip dhcp snooping Switch(config-if)# ip verify source [port-security] 只檢查source IP和port的對應 [port-security] 在多檢查source MAC的對應
statically configured IP source binding (mac-ip-interface binding) Switch(config)# ip source binding < mac > vlan < vlan-id > < ip > interface < interface > 在不使用ip dhcp snooping情況下,可用ip source binding靜態指定 To verify the IP source guard status Switch# show ip verify source [interface < interface >]
to verify the information contained in the IP source binding database, either learned or statically configured Switch# show ip source binding [ip] [mac] [dhcp-snooping | static] [interface < interface>] [vlan < vlan-id>] ...................................................................................................................... DAI(Dynamic ARP Inspection) to help mitigate ARP poisoning or ARP spoofing DAI works much like DHCP snooping. All switch ports are classified as trusted or untrusted The switch intercepts and inspects all ARP packets that arrive on an untrusted port(only ingress port) DAI is supported on access ports, trunk ports, EtherChannel ports, private VLAN ports ps:預設每一個介面是untrust When an ARP reply is received on an untrusted port, 1. the switch checks the MAC and IP reported in the reply packet against known and trusted values 2. If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated gather trusted ARP information from follows 1.statically configured entries 2.dynamic entries in the DHCP snooping database (enable DHCP snooping) enable DAI on all edge switch DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted. 一但其他接在trust port的switch未用DAI,而在底下發動攻擊,the local switch will not inspect ARP packets arriving on trusted ports;
enable DAI 1 Switch(config)# ip dhcp snooping Switch(config)# ip arp inspection [vlan < vlan-range> ] [vlan < vlan-range> ] 指定DAI要在那個vlan作用 ps:多個vlan以commas分隔 2 Configure a trusted port Switch(config-if)# ip arp inspection trust 通常用在連接其他switch的介面 ps: it will assume that the neighboring switch also is performing DAI on all of its ports in that VLAN
statically configured entries 1 無dhcp下,靜態指定ip-mac binding list Switch(config)# arp access-list acl-name Switch(config-acl)# permit ip host < sender-ip> mac host < sender-mac> [log] [Repeat the previous command as needed] Switch(config-acl)# exit 2 將list套用在DAI上 Switch(config)# ip arp inspection filter < arp-acl-name > vlan < vlan-range> [static] 各參數說明如下 [static] 若在access-list沒比對到,直接認定為invalid ps: When ARP replies are intercepted, match order as follow 1 access list entries. 2 DHCP snooping bindings database 指定DAI的檢查的順序 Switch(config)# ip arp inspection validate < src-mac | dst-mac | ip > 以下至少需設定一個 src-mac: 檢查arp-reply的src-mac dst-mac: 檢查arp-reply的dst-mac ip : 檢查arp-request的sender-ip,和所有arp-reply的目標ip
指定每秒可接受的arp packet Switch(config-if)# ip arp inspection limit rate 10 用來抑制ARP DoS attack(預設為15pps),當超過時會進入error-disable狀態 ps: 離開error-disable狀態 Switch(config)# no errdisable detect cause arp-inspection ps: 設定error-diabled-recovery時間 Switch(config-if)# errdisable recovery cause arp-inspection interval < sec > 可設定幾秒後自動離開error-disable狀態(預設為300秒) display DAI status information Switch# show ip arp inspection
http://www.ringline.com.tw/epaper/forum961101.htm
|