WEBVTT 0 00:01.100 --> 00:08.540 In the last lectures we have discussed attacks on DHCP which are Discover Flooding Attack, DHCP 1 00:08.540 --> 00:10.350 Starvation and Roque 2 00:10.360 --> 00:16.860 DHCP Server. Let’s see what countermeasures are available to mitigate the impact. 3 00:16.890 --> 00:20.410 Let's start with the starvation attack. 4 00:20.510 --> 00:27.980 It can be mitigated by configuring different security features on the lans switch, access point or wireless 5 00:28.040 --> 00:35.360 LAN controller.If the hacker sends DHCP Discover packets with different spoofed MAC addresses, 6 00:35.700 --> 00:41.930 the attack can be mitigated by configuring port security on the switch. 7 00:41.950 --> 00:50.500 This will limit the number of MAC addresses behind each port and when a violation occurs the admin can 8 00:50.500 --> 00:55.860 choose to drop the traffic or automatically disable the switch port. 9 00:55.870 --> 01:00.880 We had an entire lecture on port security when we discussed Mac flooding. 10 01:00.880 --> 01:05.010 Please watch that video again if you feel the need to recap 11 01:05.010 --> 01:14.000 what port security is or how it works. To prevent DHCP starvation attack that uses the DHCP 12 01:14.030 --> 01:18.340 requests encapsulated with the same source MAC address, 13 01:18.340 --> 01:25.750 the hacker sends all dhcp requests with the same MAC address, you can enable MAC address check 14 01:25.930 --> 01:36.610 on the DCP server. The DHCP server compares the client's hardware address or chaddr field of received DHCP requests 15 01:36.700 --> 01:44.170 with the source MAC address in the frame header. If they are the same, the DHCP 16 01:44.170 --> 01:52.340 server verifies this request as legal and processes it. If they are not the same, the server discards 17 01:52.570 --> 02:02.330 the DHCP request. Rogue DHCP servers can be mitigated by DHCP snooping. When configuring DHCP 18 02:02.420 --> 02:11.260 Snooping on the access switch, all ports in the VLAN will be “Untrusted” for DHCP replies. DHCP 19 02:11.260 --> 02:21.400 Snooping acts like a firewall between untrusted hosts and DHCP servers. You use the DHCP snooping to differentiate 20 02:21.400 --> 02:30.250 between untrusted interfaces connected to the user and trusted interfaces connected to the DHCP server 21 02:30.550 --> 02:39.430 or another switch. When an attacker sends a packet like the DHCP offer that normally comes from the DHCP 22 02:39.430 --> 02:46.540 server on an untrusted port that packet will be dropped and the message will be loged. 23 02:46.540 --> 02:56.740 In this example I'll show you how to configure the DHCP Snooping on a Cisco Catalyst Switch. We consider 24 02:56.830 --> 03:04.630 that the legitimate the DHCP server is connected to port Ethernet 0/0 and the no other 25 03:04.690 --> 03:09.910 the DHCO server is allowed on the network. OK. 26 03:09.960 --> 03:17.550 So in global configuration mode I am enabling DHCP snooping: ip dhcp snooping 27 03:20.180 --> 03:30.210 then I'll specify on which VLANs it will operate: ip dhcp snooping vlan 1, 10 and 20. 28 03:31.490 --> 03:37.940 It's just an example! I'm entering the interface mode, the trusted interface, 29 03:38.300 --> 03:44.820 ethernet0/0 and I set the interface as being trust. 30 03:45.140 --> 03:49.970 That means that a DHCP server is allowed to connect to this port. 31 03:53.380 --> 03:56.150 If you want to see the configuration you execute 32 03:56.150 --> 04:05.960 sh ip shcp sn. In this example a DHCP server is allowed only on ethernet 33 04:05.960 --> 04:08.580 0/0 port. 34 04:08.580 --> 04:17.070 Note that there are also tools called DHCP rogue detectors which can be installed on your host and try 35 04:17.130 --> 04:20.070 to find any rogue server on the network. 36 04:20.070 --> 04:23.760 This solution is partial, local and it's not proactive.