ICND2 Prevent Man in The Middle Attack with DHCP Snooping

1. What is DHCP snooping? DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. However, the most common DoS scenario is that of an end-user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.

2. What traffic will DHCP snooping drop?

  • DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.
  • DHCP messages where the source MAC and embedded client hardware MAC do not match will also be dropped, although this protection can be defeated; badly written vendor IP implementations can cause this to happen with a surprising amount of frequency, the most common scenario being a DHCP request for one interface being forwarded through another interface on that same device.
  • DHCP snooping will also drop messages that release a lease or decline an offer, if the release or decline message is received on a switchport other than the port that the original DHCP conversation was held. This prevents a third party from terminating a lease or declining a DHCP offer on behalf of the actual DHCP client.

What is a Man-in-the-Middle (MITM) attack?

A MITM attack happens when a communication between two systems is intercepted by an outside entity. This can happen in any form of online communication, such as email, social media, web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.

Taking away all the technicalities, the concept of an MITM attack can be described in a simple scenario. Imagine being brought back to the days of old when snail mail was rife. Jerry writes a letter to Jackie expressing his love for her after years of hiding his feelings. He sends the letter to the post office and it’s picked up by a nosy mailman. He opened it and, just for the hell of it, he decided to rewrite the letter before delivering the mail to Jackie. This results in Jackie hating Jerry for the rest of her life after “Jerry” called her a fat cow. The moral of the story is the mailman is a jerk, and so are hackers.

A more modern example would be a hacker sitting between you (and your browser) and the website you’re visiting to intercept and capture any data you submit to the site, such as login credentials or financial information.

How Does a Man-in-the-Middle Attack Work?

Over the years, hackers found various ways to execute MITM attacks and believe it or not, it has become relatively cheap to buy a hacking tool online, just proving how easy hacking someone can be if you have enough money. Here are some common types of MITM attacks your business will most likely encounter:

Comments

Leave a Reply