Mitigating Spoofing Attacks
dhcp snooping
ip source guard
DAI<\/p>\n\n\n\n
…………………<\/p>\n\n\n\n
DHCP snooping<\/strong><\/p>\n\n\n\n When DHCP snooping is enabled, …<\/p>\n\n\n\n \u555f\u52d5DHCP snooping\u529f\u80fd \u6307\u5b9aDHCP snooping\u8981\u904b\u4f5c\u7684vlan \u5728dhcp server\u7684\u6240\u5728port\u8a2d\u6210trust port [option] ex: [option] ..<\/p>\n\n\n\n display dhcp snooping status …………………………………………………………………………………………..<\/p>\n\n\n\n ip source guard<\/strong> \u6aa2\u6e2c\u689d\u4ef6 statically configured IP source binding (mac-ip-interface binding) to verify the information contained in the IP source binding database, either learned or statically configured ……………………………………………………………………………………………………….<\/p>\n\n\n\n DAI(Dynamic ARP Inspection)<\/strong> When an ARP reply is received on an untrusted port,<\/strong> gather trusted ARP information from follows<\/strong> statically configured entries \u6307\u5b9a\u6bcf\u79d2\u53ef\u63a5\u53d7\u7684arp packet ps: Mitigating Spoofing Attacksdhc …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-876","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=876"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/876\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1
switch ports are categorized as trusted or untrusted
Legitimate DHCP<\/strong> servers can be found on trusted ports<\/strong>
all other hosts<\/strong> sit behind untrusted ports<\/strong>
2
A switch intercepts all DHCP requests<\/strong> coming from untrusted ports before flooding them throughout the VLAN .
3
Any DHCP replies(dhcp offer packet)<\/strong> coming from an untrusted port<\/strong> are discarded .\u3000because they must have come from a rogue DHCP server<\/strong>
the offending switch port automatically is shut down in the Errdisable state
4
DHCP snooping database\u958b\u59cb\u904b\u4f5c<\/p>\n\n\n\n
Switch(config)# ip dhcp snooping<\/strong><\/p>\n\n\n\n
Switch(config)# ip dhcp snooping vlan < vlan-id ><\/strong>
\u5404\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
[ vlan < vlan-id [vlan-id]> ] \u53ea\u5728\u6307\u5b9avlan\u4e0b\u555f\u52d5dhcp snooping<\/p>\n\n\n\n
Switch(config-if)# ip dhcp snooping trust<\/strong>
By default, all switch ports are assumed to be untrusted<\/p>\n\n\n\n
to rate-limit DHCP traffic on an untrusted port
Switch(config-if)# ip dhcp snooping limit rate < rate ><\/strong>
rate \u6307\u5b9a\u6bcf\u79d2\u5e7e\u500bdhcp packet<\/p>\n\n\n\n
dhcp\u8a2d\u5b9a\u7bc4\u4f8b
Switch(config)# ip dhcp snooping vlan 104
Switch(config)# interface range fastethernet 0\/35 – 36
Switch(config-if)# ip dhcp snooping limit rate 3
Switch(config-if)# interface gigabitethernet 0\/1
Switch(config-if)# ip dhcp snooping trust
Switch(config)# ip dhcp snooping<\/p>\n\n\n\n
[option]
DHCP option-82
Switch(config)# [no] ip dhcp snooping information option<\/strong>
ps:
this feature is enabled by default
DHCP option-82, the DHCP Relay Agent Information option, which is described in RFC 3046
ps:
1. When a DHCP request is intercepted on an untrusted port
2. the switch adds its own MAC address and the switch port identifier into the option-82 field of the request.
3. The request then is forwarded normally so that it can reach a trusted DHCP server<\/p>\n\n\n\n
\u6307\u5b9aDHCP snooping binding database\u5132\u5b58\u65bc\u5916\u90e8\u4f4d\u7f6e
Switch(config)# ip dhcp snooping database < locate ><\/strong>
< locate > \u53ef\u6307\u5b9a\u5132\u5b58\u5728TFTP,FTP,HTTP server
ps:\u5916\u90e8\u4f4d\u7f6e\u4e0a\u9700\u5148\u7522\u751f\u4e00\u500b\u7a7a\u767d\u6a94
ps:switch\u548cserver\u9700\u505aNTP,\u4ee5\u907f\u514dswitch\u4e0a\u7684snooping database\u7121\u6cd5\u540c\u6b65\u5230server
ex:
Switch(config)# ip dhcp snooping database tftp:\/\/10.10.10.10\/database
Switch(config)# ip dhcp snooping database ftp:\/\/name:password@10.10.10.11\/database<\/p>\n\n\n\n
Switch# show ip dhcp snooping [binding]<\/strong>
\u5404\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
[binding] display all the known DHCP bindings that have been overheard
ps:
# show ip dhcp snooping\u756b\u9762\u5927\u81f4\u5982\u4e0b
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
104
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
———————— ——- —————-
FastEthernet0\/35 no 3
FastEthernet0\/36 no 3
GigabitEthernet0\/1 yes unlimited<\/p>\n\n\n\n
\u53ef\u4ee5\u907f\u514d\u5408\u6cd5\u4f7f\u7528\u7684IP\u88ab\u5176\u4ed6\u4eba\u76dc\u7528
IP Source Guard does this(\u6aa2\u8996\u6bd4\u5c0dip,interface,mac) by making use of the “DHCP snooping database” and “static IP source binding entries”
ps:
DHCP snooping\u662fvlan-based
IP source guard\u662fswitch ports-based<\/p>\n\n\n\n
Packets arriving on a switch port(untrust interface) can be tested for one of the following conditions
The source IP must be identical to the IP<\/strong>
\u30001.learned by DHCP snooping or a static entry.
\u30002.A dynamic port ACL is used to filter traffic.
ps:The switch automatically creates this ACL, adds the learned source IP to the ACL, and applies the ACL to the interface where the address is learned.
The source MAC must be identical to the MAC<\/strong>
\u30001.learned on the switch port and by DHCP snooping.
\u30002.Port security is used to filter traffic
\u7570\u5e38\u52d5\u4f5c:
If the address is something other than the one learned or statically configured,
the switch drops the packet<\/p>\n\n\n\n
to configure IP source guard
Switch(config)# ip dhcp snooping
Switch(config-if)# ip verify source [port-security]<\/strong>
\u53ea\u6aa2\u67e5source IP\u548cport\u7684\u5c0d\u61c9
[port-security] \u5728\u591a\u6aa2\u67e5source MAC\u7684\u5c0d\u61c9<\/p>\n\n\n\n
Switch(config)# ip source binding < mac > vlan < vlan-id > < ip > interface < interface ><\/strong>
\u5728\u4e0d\u4f7f\u7528ip dhcp snooping\u60c5\u6cc1\u4e0b,\u53ef\u7528ip source binding\u975c\u614b\u6307\u5b9a<\/p>\n\n\n\n
To verify the IP source guard status
Switch# show ip verify source [interface < interface >]<\/strong><\/p>\n\n\n\n
Switch# show ip source binding [ip] [mac] [dhcp-snooping | static] [interface < interface>] [vlan < vlan-id>]<\/strong><\/p>\n\n\n\n
to help mitigate ARP poisoning or ARP spoofing
DAI works much like DHCP snooping. All switch ports are classified as trusted or untrusted
The switch intercepts and inspects all ARP packets that arrive on an untrusted port(only ingress port)
DAI is supported on access ports, trunk ports, EtherChannel ports, private VLAN ports
ps:\u9810\u8a2d\u6bcf\u4e00\u500b\u4ecb\u9762\u662funtrust<\/p>\n\n\n\n
1. the switch checks the MAC and IP reported in the reply packet against known and trusted values
2. If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated<\/p>\n\n\n\n
1.statically configured entries
2.dynamic entries in the DHCP snooping database (enable DHCP snooping)<\/p>\n\n\n\n
enable DAI on all edge switch<\/strong>
DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
\u4e00\u4f46\u5176\u4ed6\u63a5\u5728trust port\u7684switch\u672a\u7528DAI,\u800c\u5728\u5e95\u4e0b\u767c\u52d5\u653b\u64ca,the local switch will not inspect ARP packets arriving on trusted ports;<\/p>\n\n\n\n
enable DAI
1
Switch(config)# ip dhcp snooping
Switch(config)# ip arp inspection [vlan < vlan-range> ]<\/strong>
[vlan < vlan-range> ] \u6307\u5b9aDAI\u8981\u5728\u90a3\u500bvlan\u4f5c\u7528
ps:\u591a\u500bvlan\u4ee5commas\u5206\u9694
2
Configure a trusted port
Switch(config-if)# ip arp inspection trust<\/strong>
\u901a\u5e38\u7528\u5728\u9023\u63a5\u5176\u4ed6switch\u7684\u4ecb\u9762
ps:
it will assume that the neighboring switch also is performing DAI on all of its ports in that VLAN<\/p>\n\n\n\n
1
\u7121dhcp\u4e0b,\u975c\u614b\u6307\u5b9aip-mac binding list
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host < sender-ip> mac host < sender-mac> [log]<\/strong>
[Repeat the previous command as needed]
Switch(config-acl)# exit
2
\u5c07list\u5957\u7528\u5728DAI\u4e0a
Switch(config)# ip arp inspection filter < arp-acl-name > vlan < vlan-range> [static]<\/strong>
\u5404\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
[static] \u82e5\u5728access-list\u6c92\u6bd4\u5c0d\u5230,\u76f4\u63a5\u8a8d\u5b9a\u70bainvalid
ps:
When ARP replies are intercepted, match order as follow
1 access list entries.
2 DHCP snooping bindings database<\/p>\n\n\n\n
\u6307\u5b9aDAI\u7684\u6aa2\u67e5\u7684\u9806\u5e8f
Switch(config)# ip arp inspection validate < src-mac | dst-mac | ip ><\/strong>
\u4ee5\u4e0b\u81f3\u5c11\u9700\u8a2d\u5b9a\u4e00\u500b
src-mac: \u6aa2\u67e5arp-reply\u7684src-mac
dst-mac: \u6aa2\u67e5arp-reply\u7684dst-mac
ip : \u6aa2\u67e5arp-request\u7684sender-ip,\u548c\u6240\u6709arp-reply\u7684\u76ee\u6a19ip<\/p>\n\n\n\n
Switch(config-if)# ip arp inspection limit rate 10<\/strong>
\u7528\u4f86\u6291\u5236ARP DoS attack(\u9810\u8a2d\u70ba15pps),\u7576\u8d85\u904e\u6642\u6703\u9032\u5165error-disable\u72c0\u614b<\/p>\n\n\n\n
\u96e2\u958berror-disable\u72c0\u614b
Switch(config)# no errdisable detect cause arp-inspection<\/strong>
ps:
\u8a2d\u5b9aerror-diabled-recovery\u6642\u9593
Switch(config-if)# errdisable recovery cause arp-inspection interval < sec ><\/strong>
\u53ef\u8a2d\u5b9a\u5e7e\u79d2\u5f8c\u81ea\u52d5\u96e2\u958berror-disable\u72c0\u614b(\u9810\u8a2d\u70ba300\u79d2)<\/p>\n\n\n\n
display DAI status information
Switch# show ip arp inspection<\/strong><\/p>\n\n\n\n
http:\/\/www.ringline.com.tw\/epaper\/forum961101.htm<\/p>\n","protected":false},"excerpt":{"rendered":"