Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
topology:
DHCP Server configuration:
dhcp enable
#
ip pool users
gateway-list 192.168.0.1
network 192.168.0.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 192.168.0.1 255.255.255.0
dhcp select global
#
Note: This configuration is enough for the clients to get an ip address due to the default configuration of Huawei Switches. All ports are assigned to VLAN 1 and they are configured as hybrid, an hybrid port can either be access or trunk.
The Default configuration poses a threat to the network since anyone with access to the switches can plug a device on to the network or even worst plug a rogue dhcp server a take over the network.
To protect the network against this type of attacks, it is advisable to configure a vlan, assign used ports to that vlan and shutdown all the unused ports or assign unused ports to a vlan that should only be used for unused ports.
Switch configuration:
[SW1] vlan batch 10 99
[SW1] interface GigabitEthernet0/0/24
[SW1-GigabitEthernet0/0/24] port link-type trunk
[SW1-GigabitEthernet0/0/24] port trunk allow-pass vlan 10
[SW1-GigabitEthernet0/0/24] interface GigabitEthernet0/0/23
[SW1-GigabitEthernet0/0/23] port link-type access
[SW1-GigabitEthernet0/0/23] port default vlan 10
[SW1-GigabitEthernet0/0/23] interface GigabitEthernet0/0/1
[SW1-GigabitEthernet0/0/1] port link-type access
[SW1-GigabitEthernet0/0/1] port default vlan 10
[SW2] vlan batch 10 99
[SW2] interface GigabitEthernet0/0/24
[SW2-GigabitEthernet0/0/24] port link-type trunk
[SW2-GigabitEthernet0/0/24] port trunk allow-pass vlan 10
[SW2-GigabitEthernet0/0/24] interface GigabitEthernet0/0/1
[SW2-GigabitEthernet0/0/1] port link-type access
[SW2-GigabitEthernet0/0/1] port default vlan 10
[SW2-GigabitEthernet0/0/1] interface GigabitEthernet0/0/2
[SW2-GigabitEthernet0/0/2] port link-type access
[SW2-GigabitEthernet0/0/2] port default vlan 10
Now create a port group to configure all unused ports at once.
[SW1]port-group unused
[SW1-port-group-unused] group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/22
[SW1-port-group-unused] port link-type access
[SW1-port-group-unused] port default vlan 99
[SW1-port-group-unused] shutdown
[SW2]port-group unused
[SW2-port-group-unused] group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/23
[SW2-port-group-unused] port link-type access
[SW2-port-group-unused] port default vlan 99
[SW2-port-group-unused] shutdown
With this configuration a malicious user will not have access to any resources on the network upon connecting a device to an available port, but the network is not yet protected against rogue dhcp server attacks, because a malicious user can swap a connected device with bogus dhcp server. To protected against this type of attacks dhcp snooping must be enable on both switches, and a trusted interface must be configured as well (trusted interfaces allow dhcp traffic from the server to the client and and the other way around). In this topology the dhcp server is connected to port GigabitEthernet0/0/23 on SW1 and on SW2 port GigabitEthernet0/0/24 must be configured as trusted as well.
[SW1] dhcp enable
[SW1] dhcp snooping enable
[SW1] vlan 10
[SW1-vlan10] dhcp snooping enable
[SW1-vlan10] quit
[SW1] interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23] dhcp snooping trusted
[SW2] dhcp enable
[SW2] dhcp snooping enable
[SW2] vlan 10
[SW2-vlan10] dhcp snooping enable
[SW2-vlan10] quit
[SW2] interface GigabitEthernet 0/0/24
[SW2-GigabitEthernet0/0/24] dhcp snooping trusted
Note: If a trusted interface is not configured on SW2, DHCP Discovery packets will be discarded as soon as they arrive to the switch, because there is no trusted interface to forward this packets to.
The network is now protected agaisnt dhcp rogue server attacks, but there are other attacks that can be executed on the network such as DHCP flood attacks, bogus DHCP messages and DHCP starvation attack.
A DHCP flood attack works by sending a large number of DHCP messages to a device within a short period of time, this will impact on the performance and the device might not work as normally. To prevent this type of attack its a good idea to enable the rate limit of packets per second that will enter the switch.
[SW1] dhcp snooping check dhcp-rate enable
[SW1] dhcp snooping check dhcp-rate 25
[SW2] dhcp snooping check dhcp-rate enable
[SW2] dhcp snooping check dhcp-rate 25
In a bogus DHCP message attack the attacker sends a DHCP request message to the DHCP server, the ip address cannot be released after the lease time expires and legit users are unable to use those ip addresses, also the attacker might send a DHCP release message causing the legit user or users to go offline. This can be prevented by configuring the switch to check whether the DHCP requests or release messages macthes entries in the binding table. Only DHCP messages that match entries can be forward. This prevents malicious users form sending bogus DHCP request or release messages.
[SW1] vlan 10
[SW1-vlan10] dhcp snooping check dhcp-request enable
[SW2] vlan 10
[SW2-vlan10] dhcp snooping check dhcp-request enable
In a DHCP starvation attack a malicious user broadcast DHCP requests with a spoofed mac-address. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP server for a period of time causing legit users to unable to receive an ip address. To stop this kind of attacks a switch can be configured to check whether the mac-address in the ethernet frame match the CHADDR field in the DHCP message (CHADDR field is where the dhcp server identify the mac-address of the client). If the two values match the message is forward otherwise is discarded. Also the maximum number of access users allowed on the switch or interface must be set.
[SW1] interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1] dhcp snooping max-user-number 1
[SW1-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
[SW2] interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1] dhcp snooping max-user-number 1
[SW2-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable