1
00:00:00,060 --> 00:00:00,893
In this video,

2
00:00:00,893 --> 00:00:02,910
we're going to discuss DHCP issues

3
00:00:02,910 --> 00:00:06,870
such as rogue DHCP servers and DHCP scope exhaustion.

4
00:00:06,870 --> 00:00:10,290
Now, DHCP or the Dynamic Host Configuration Protocol

5
00:00:10,290 --> 00:00:13,290
is a network management protocol that's used on IP networks

6
00:00:13,290 --> 00:00:15,240
automatically assigning IP addresses

7
00:00:15,240 --> 00:00:16,860
and other communication parameters

8
00:00:16,860 --> 00:00:18,810
to devices that are connected to the network

9
00:00:18,810 --> 00:00:21,030
using a client-server architecture.

10
00:00:21,030 --> 00:00:22,770
Basically, DHCP is used

11
00:00:22,770 --> 00:00:25,650
to automatically assign an IP address, a subnet mask,

12
00:00:25,650 --> 00:00:29,160
a default gateway, and a DNS server's IP address to a client

13
00:00:29,160 --> 00:00:30,780
whenever it joins the network.

14
00:00:30,780 --> 00:00:32,729
This works great most of the time,

15
00:00:32,729 --> 00:00:35,610
but if someone has a rogue DHCP server to your network,

16
00:00:35,610 --> 00:00:38,190
this can cause a ton of issues for you.

17
00:00:38,190 --> 00:00:41,850
Now, a rogue DHCP server is a DHCP server on the network

18
00:00:41,850 --> 00:00:43,980
that is not under your administrative control

19
00:00:43,980 --> 00:00:45,900
since you are the network administrator.

20
00:00:45,900 --> 00:00:47,850
Remember, rogue DHCP servers

21
00:00:47,850 --> 00:00:49,080
can be installed on the network

22
00:00:49,080 --> 00:00:50,850
either as part of a malicious attack

23
00:00:50,850 --> 00:00:53,970
or simply accidentally by your own employees.

24
00:00:53,970 --> 00:00:55,650
In the case of a malicious attack,

25
00:00:55,650 --> 00:00:57,540
the rogue DHCP server could be used

26
00:00:57,540 --> 00:00:59,520
to automatically configure network clients

27
00:00:59,520 --> 00:01:02,700
as they join the network to use a different DHCP server,

28
00:01:02,700 --> 00:01:04,650
one that's controlled by your attacker.

29
00:01:04,650 --> 00:01:07,170
That way, anytime somebody enters google.com

30
00:01:07,170 --> 00:01:08,610
or citibank.com,

31
00:01:08,610 --> 00:01:10,530
they're going to be redirected to another site

32
00:01:10,530 --> 00:01:11,910
that's controlled by the attacker

33
00:01:11,910 --> 00:01:13,350
and looks like those sites,

34
00:01:13,350 --> 00:01:15,330
and then they can conduct an on path

35
00:01:15,330 --> 00:01:17,460
or man-in-the-middle attack against them.

36
00:01:17,460 --> 00:01:20,460
Now, in the case of an accidental install by an employee,

37
00:01:20,460 --> 00:01:21,330
this normally occurs

38
00:01:21,330 --> 00:01:23,430
when somebody connects a wireless router

39
00:01:23,430 --> 00:01:25,170
or wireless gateway to your network

40
00:01:25,170 --> 00:01:26,400
for their own convenience,

41
00:01:26,400 --> 00:01:27,420
and they really didn't realize

42
00:01:27,420 --> 00:01:29,670
that the device had a built-in DHCP server

43
00:01:29,670 --> 00:01:31,050
contained within it.

44
00:01:31,050 --> 00:01:33,270
In either case, the rogue DHCP server

45
00:01:33,270 --> 00:01:36,540
will begin to hand out IP addresses from its own scope.

46
00:01:36,540 --> 00:01:38,670
Now, this scope may or may not be the same

47
00:01:38,670 --> 00:01:40,710
as your official DHCP servers.

48
00:01:40,710 --> 00:01:41,543
If it isn't,

49
00:01:41,543 --> 00:01:43,590
you're not going to see a lot of network connectivity issues

50
00:01:43,590 --> 00:01:44,520
for those clients

51
00:01:44,520 --> 00:01:46,980
that are getting IPs from the rogue DHCP server

52
00:01:46,980 --> 00:01:49,980
if the default gateway is still being handed out correctly.

53
00:01:49,980 --> 00:01:52,620
Now, if the rogue DHCP server is using the same scope

54
00:01:52,620 --> 00:01:54,090
as your DHCP server,

55
00:01:54,090 --> 00:01:56,370
this is where you can have a lot of problems.

56
00:01:56,370 --> 00:02:00,887
For example, let's pretend you're both using 192.168.1.0/24

57
00:02:01,920 --> 00:02:03,180
as your network scopes.

58
00:02:03,180 --> 00:02:05,370
This is a traditional one used by small office

59
00:02:05,370 --> 00:02:06,900
and home office networks.

60
00:02:06,900 --> 00:02:09,720
You both then can start to suffer connectivity issues

61
00:02:09,720 --> 00:02:11,640
because two devices can both be assigned

62
00:02:11,640 --> 00:02:15,570
the exact same IP address leading to a duplicate IP address.

63
00:02:15,570 --> 00:02:17,460
Now, to prevent a rogue DHCP server

64
00:02:17,460 --> 00:02:18,870
from connecting to your network,

65
00:02:18,870 --> 00:02:21,810
you should configure DHCP snooping on your network.

66
00:02:21,810 --> 00:02:24,330
DHCP snooping is a series of techniques

67
00:02:24,330 --> 00:02:25,710
that are applied to improve the security

68
00:02:25,710 --> 00:02:27,480
of DHCP's infrastructure

69
00:02:27,480 --> 00:02:29,940
by excluding rogue DHCP server traffic

70
00:02:29,940 --> 00:02:31,110
and removing their malicious

71
00:02:31,110 --> 00:02:34,200
or malformed DHCP traffic from the network.

72
00:02:34,200 --> 00:02:36,660
Now, rogue DHCP servers can also be countered

73
00:02:36,660 --> 00:02:38,910
by using port security on your switch ports

74
00:02:38,910 --> 00:02:41,670
because that rogue DHCP's MAC address isn't going to be

75
00:02:41,670 --> 00:02:43,260
on your authorized list of devices

76
00:02:43,260 --> 00:02:45,090
when they connect to a switch port.

77
00:02:45,090 --> 00:02:48,060
Finally, rogue DHCP servers can also be detected

78
00:02:48,060 --> 00:02:50,700
by properly configuring an intrusion detection system,

79
00:02:50,700 --> 00:02:51,960
and once identified,

80
00:02:51,960 --> 00:02:53,970
it can be manually removed from the network

81
00:02:53,970 --> 00:02:55,950
by your network administrators.

82
00:02:55,950 --> 00:02:58,890
Next, we have DHCP scope exhaustion.

83
00:02:58,890 --> 00:03:01,230
Now, DHCP scope exhaustion occurs

84
00:03:01,230 --> 00:03:04,170
when the DHCP server simply runs out of valid IPs

85
00:03:04,170 --> 00:03:06,750
to assign to somebody when they join the network.

86
00:03:06,750 --> 00:03:08,340
For example, let's say again,

87
00:03:08,340 --> 00:03:13,050
you're using the scope of 192.168.1.0/24,

88
00:03:13,050 --> 00:03:15,210
and that's your private class C network.

89
00:03:15,210 --> 00:03:19,050
You've reserved 192.168.1.1 for the gateway

90
00:03:19,050 --> 00:03:22,920
and 192.168.1.255 for your broadcast.

91
00:03:22,920 --> 00:03:27,030
Now, you have 254 IPs left in your DHCP scope.

92
00:03:27,030 --> 00:03:29,730
Now, as long as you have less than 254 devices

93
00:03:29,730 --> 00:03:31,380
that want to connect you at the same time,

94
00:03:31,380 --> 00:03:34,140
you're not going to suffer DHCP scope exhaustion.

95
00:03:34,140 --> 00:03:36,870
But if you have 500 people that want to connect,

96
00:03:36,870 --> 00:03:38,370
you're going to run out IP addresses

97
00:03:38,370 --> 00:03:40,380
before everybody gets their own.

98
00:03:40,380 --> 00:03:43,650
Now, many DHCP servers use a default lease time

99
00:03:43,650 --> 00:03:47,040
of 86,400 seconds, which is one day,

100
00:03:47,040 --> 00:03:50,010
but I've seen some organizations set their DHCP leases

101
00:03:50,010 --> 00:03:52,260
to seven days or even 30 days.

102
00:03:52,260 --> 00:03:54,750
Now, this is helpful from a security analyst perspective

103
00:03:54,750 --> 00:03:55,583
because those clients

104
00:03:55,583 --> 00:03:57,690
aren't changing their IP addresses as often

105
00:03:57,690 --> 00:03:59,640
and so it's easier to correlate log data,

106
00:03:59,640 --> 00:04:01,440
but these longer lease times

107
00:04:01,440 --> 00:04:03,720
can lead to DHCP scope exhaustion

108
00:04:03,720 --> 00:04:05,910
if you have a lot of transient users.

109
00:04:05,910 --> 00:04:07,470
For example, let's say you're running

110
00:04:07,470 --> 00:04:09,360
the wireless network at a local college.

111
00:04:09,360 --> 00:04:11,550
You have hundreds or thousands of different people

112
00:04:11,550 --> 00:04:13,950
that connect to your network on a daily basis.

113
00:04:13,950 --> 00:04:15,180
One student might have a class

114
00:04:15,180 --> 00:04:16,860
on Monday, Wednesday, and Friday,

115
00:04:16,860 --> 00:04:18,390
and another student might have classes

116
00:04:18,390 --> 00:04:19,740
on Tuesday and Thursday.

117
00:04:19,740 --> 00:04:21,450
If you're using seven-day leases,

118
00:04:21,450 --> 00:04:23,190
the first student would still have their lease

119
00:04:23,190 --> 00:04:24,300
for the entire week,

120
00:04:24,300 --> 00:04:25,890
and so with the second student.

121
00:04:25,890 --> 00:04:29,070
Now, we're going to need two leases for these two students.

122
00:04:29,070 --> 00:04:32,100
But if we instead lowered our lease time to 24 hours,

123
00:04:32,100 --> 00:04:33,300
these two students could,

124
00:04:33,300 --> 00:04:35,700
in theory, receive the exact same IP,

125
00:04:35,700 --> 00:04:37,290
but not at the same time

126
00:04:37,290 --> 00:04:39,390
because the lease would expire on the first one

127
00:04:39,390 --> 00:04:41,520
before the second one showed up to class.

128
00:04:41,520 --> 00:04:42,630
Now, another thing you can do

129
00:04:42,630 --> 00:04:44,730
to overcome DHCP scope exhaustion

130
00:04:44,730 --> 00:04:46,800
is to increase the scope size.

131
00:04:46,800 --> 00:04:50,460
For example, instead of providing the 254 IP addresses

132
00:04:50,460 --> 00:04:55,320
by using the network of 192.168.1.0/24,

133
00:04:55,320 --> 00:05:00,320
I can instead change my scope to 172.16.1.0/22.

134
00:05:00,960 --> 00:05:03,750
This gives me 1,022 available IPs

135
00:05:03,750 --> 00:05:05,250
for me to assign to my clients,

136
00:05:05,250 --> 00:05:08,490
which is going to serve all 500 of my students with no problem.

137
00:05:08,490 --> 00:05:11,010
The final thing you can do is decrease the number of devices

138
00:05:11,010 --> 00:05:12,780
that are using the DHCP server

139
00:05:12,780 --> 00:05:15,510
and in turn, the IP addresses from its scope.

140
00:05:15,510 --> 00:05:18,090
In this case, you're going to want to enable port security

141
00:05:18,090 --> 00:05:20,280
or network access control, NAC,

142
00:05:20,280 --> 00:05:22,980
to enable you to prevent clients from accessing your network

143
00:05:22,980 --> 00:05:25,983
and getting assigned an IP address from your DHCP scope.