Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "sample analysis of DHCP*** defense processing", which is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample Analysis of DHCP*** Defense processing".

DHCP application background: in the environment of relatively large scale of local area network, in order to improve the efficiency of network management and reduce the complicated work of network management, we usually set up a DHCP server in the local area network, and use the server to automatically provide legitimate IP addresses for ordinary workstations to provide Internet services. When an ordinary workstation in the local area network is connected to the local area network, it will automatically send Internet parameter request packets to the local area network. Once the DHCP server receives the Internet request information from the client system, it will automatically provide it with appropriate parameters such as IP address, network mask address, gateway address and DNS address. After obtaining the corresponding legitimate address, the client system can access the network normally. It is obvious that the stability of the DHCP server will directly affect the stability of the whole LAN network.

If there is another illegal DHCP server in the local area network or when the DHCP server is maliciously, the stability of the whole local area network will be destroyed, and the Internet access of ordinary workstations will be confused because they are unable to get a valid IP address. In order to keep the LAN network running stably, we need to find ways to protect the security of legitimate DHCP servers from malicious or illegal DHCP servers.

Let's look at an illustration:

1. Solve this problem at the switch level.

Through the port security setting of the switch, each client host DHCP requests to use a unique MAC address on the specified port. Usually, the DHCP server judges the client MAC address by the CHADDR segment in the DHCP request message. Usually this address is the same as the client MAC address. If the * * user does not modify the client's MAC but modifies the CHADDR in the DHCP message and implements Dos, Port Security will not work. DHCP sniffing technology can check the CHADDR field in the DHCP request message to determine whether the field matches the DHCP sniffing table. This function is configured by default on some switches and needs to be configured in some switches. For more information, please refer to the configuration documentation of the relevant switches.

In addition, DHCP Snooping technology is used to filter untrusted DHCP information by establishing and maintaining DHCP Snooping binding tables, which refers to DHCP information from untrusted zones. By intercepting DHCP information in a virtual local area network, the switch can act as a small security firewall between the user and the DHCP server. The DHCP snooping function establishes a DHCP binding table based on dynamic address allocation and stores the table in the switch. In an environment without DHCP, such as a data center, binding entries may be statically defined, and each DHCP binding entry contains a client address (a static address or an address obtained from a DHCP server), client MAC address, port, VLAN ID, lease time, binding type (static or dynamic).

When the switch turns on DHCP-Snooping, it listens for DHCP messages, and can extract and record IP address and MAC address information from received DHCP Request or DHCP Ack messages. In addition, DHCP-Snooping allows you to set a physical port as either a trusted port or an untrusted port. The trusted port can receive and forward DHCP Offer messages normally, while the untrusted port will discard the received DHCP Offer messages. In this way, the switch can shield the fake DHCP Server and ensure that the client gets the IP address from the legitimate DHCP Server.

Examples of basic configuration commands are as follows:

Global commands:

Ip dhcp snooping vlan 10J 20 * defines which VLAN enables DHCP sniffing

Ip dhcp snooping

Interface commands:

Ip dhcp snooping trust

No ip dhcp snooping trust (Default)

Ip dhcp snooping limit rate 10 (pps) * prevent DHCP from denial of service to some extent * *

Manually add the DHCP binding table:

Ip dhcp snooping binding 000b.db1d.6ccd vlan 10 192.168.1.2 interface gi1/1 expiry 1000

Export DHCP binding table to TFTP server

Ip dhcp snooping database tftp:// 10.1.1 .1 / file

It should be noted that the DHCP binding table must have local memory (Bootfalsh, ftp, tftp) or be exported to the specified TFTP server, otherwise the DHCP binding table will be lost after the switch is rebooted, and the DHCP request will not be initiated again for devices that have applied for IP addresses during the lease period. If the switch is already configured with DAI and IP Source Guard technology, these users will not be able to access the network.

Note: DOS*** of DHCP services like Gobbler can be blocked by using Port Security to limit the number of source MAC addresses, and DAI and IP Source Guard technologies can also be used for some users to specify addresses casually to cause network address conflicts. Some complex DHCP*** tools can generate DHCP requests with a single source DHCP*** address and changing DHCP Payload information. When the DHCP snooping function is turned on, the switch compares the source MAC address and DHCP Payload information to the DHCP request from the untrusted port, and blocks the request if it does not match.

2. Solve this problem at the client-server level.

Client processing: on the client host, we can execute "arp-s 192.168.2.45 00-01-02-03-04-05" at the command line prompt to bind IP and MAC of the client, and execute "arp-s 192.168.2.1 00-01-02-6E-3D-2B" to bind the IP and MAC of the gateway, or install some ARP antivirus software on the client host to avoid this kind of * *.

Once we find that our client cannot access the Internet properly, we can execute the "ipconfig/release" string command at the DOS command line prompt to release the incorrect Internet parameters obtained before.

Then try to execute the "ipconfig/renew" string command to re-send the Internet parameter request packet to the LAN. If the above command returns the wrong result information, then we can continue to execute the "ipconfig/release" and "ipconfig/renew" string commands in the local system operation dialog box until the client workstation gets the valid Internet parameter information.

Server-side processing:

Usually, the ordinary workstations in the local area network are installed using the Windows operating system. In the local area network environment dominated by the Windows workstation system, we can use the domain management mode to protect the running security of the legitimate DHCP server, and at the same time filter the illegal DHCP server to ensure that the DHCP server will not assign the wrong Internet parameter information to the ordinary workstation in the local area network. As long as we join the legal and effective DHCP server host to the active directory in the local area network controller, we can ensure that all ordinary workstations in the local area network will automatically get the correct Internet parameter information from the legal and effective DHCP server. This is because the ordinary workstation in the domain sends broadcast information to the network, and when applying for the Internet parameter address, the legal and valid DHCP server located in the same domain will automatically give priority to responding to the Internet request of the ordinary workstation. If the DHCP server in the specified domain of the local area network does not exist or fails, the illegal DHCP server that does not join the specified domain will be able to respond to the Internet request of the ordinary workstation.

Of course, we can also try to achieve more detailed management and control through domain management and ISA security management. Set up a separate DHCP server in the domain, and the DHCP server distributes the fixed IP,ISA server to the client through the MAC address and restricts the permissions of the client through different policy settings, which can achieve more granular security management.

Note: domain management mode has little practical significance for small-scale local area network units, because small-scale local area networks are almost always in working group mode, and legal and effective DHCP servers in this working mode can not be protected.

The above is all the content of the article "sample Analysis of DHCP*** Defense processing". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.