Preventing Spoofing Attacks - Securing Switched Networks - CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (2015)

CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (2015)

Part VII. Securing Switched Networks

Chapter 21. Preventing Spoofing Attacks

This chapter covers the following topics that you need to master for the CCNP SWITCH exam:

Image DHCP Snooping: This section covers a method to prevent rogue DHCP servers from appearing on your network and disrupting service to your users.

Image IP Source Guard: This section discusses a mechanism you can leverage to detect and suppress hosts that use spoofed IP addresses to attack a network.

Image Dynamic ARP Inspection: This section explains how you can configure a switch to detect and mitigate ARP spoofing attacks.

Catalyst switches can detect and prevent certain types of attacks. This chapter discusses several features that you can use to validate information passing through a switch so that spoofed addresses cannot be used to compromise hosts.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt based on your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 21-1 outlines the major headings in this chapter and the “Do I Know This Already?” quiz questions that go with them. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Image

Table 21-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

1. DHCP snooping helps mitigate which one of the following spoofed parameters?

a. Subnet mask

b. Gateway address

c. DNS address

d. DHCP request

2. With DHCP snooping, an untrusted port filters out which one of the following?

a. DHCP replies from legitimate DHCP servers

b. DHCP replies from rogue DHCP servers

c. DHCP requests from legitimate clients

d. DHCP requests from rogue clients

3. Which two of the following methods does a switch use to detect spoofed addresses when IP Source Guard is enabled?

a. ARP entries

b. DHCP database

c. DHCP snooping database

d. Static IP source binding entries

e. Reverse path-forwarding entries

4. Which one of the following commands should you use to enable IP Source Guard on a switch interface?

a. ip source-guard

b. ip guard source

c. ip verify source

d. ip source spoof

5. Dynamic ARP Inspection helps mitigate an attack based on which one of the following parameters within an ARP reply packet?

a. Source IP address

b. MAC address

c. Destination IP address

d. Sequence number

6. Which one of the following should be configured as a trusted port for dynamic ARP inspection?

a. The port where the ARP server is located.

b. The port where an end-user host is located.

c. The port where another switch is located.

d. None; all ports are untrusted.

Foundation Topics

Malicious users sometimes can send spoofed—information to trick switches or other hosts into using a rogue machine as a gateway. The attacker’s goal is to become the man in the middle, with a naive user sending packets to the attacker as if it were a router. The attacker can glean information from the packets sent to it before it forwards them normally. This section describes three Cisco Catalyst features—DHCP snooping, IP Source Guard, and dynamic ARP inspection—that prevent certain types of spoofing attacks.

DHCP Snooping

A Dynamic Host Configuration Protocol (DHCP) server normally provides all the basic information a client PC needs to operate on a network. For example, the client might receive an IP address, a subnet mask, a default gateway address, DNS addresses, and so on.

Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway.

When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker’s machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client does not realize it.

Image

Cisco Catalyst switches can use the DHCP snooping feature to help mitigate this type of attack. When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports.

A switch intercepts all DHCP requests coming from untrusted ports before flooding them throughout the VLAN. Any DHCP replies coming from an untrusted port are discarded because they must have come from a rogue DHCP server. In addition, the offending switch port automatically is shut down in the errdisable state.

DHCP snooping also keeps track of the completed DHCP bindings as clients receive legitimate replies. This database contains the client MAC address, IP address offered, lease time, and so on.

You can configure DHCP snooping first by enabling it globally on a switch with the following configuration command:

Switch(config)# ip dhcp snooping

Next identify the VLANs where DHCP snooping should be implemented with the following command:

Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]

You can give a single VLAN number as vlan-id or a range of VLAN numbers by giving the start and end VLAN IDs of the range.

By default, all switch ports are assumed to be untrusted so that DHCP replies are not expected or permitted. Only trusted ports are allowed to send DHCP replies. Therefore, you should identify only the ports where known, trusted DHCP servers are located. You can do this with the following interface configuration command:

Switch(config)# interface type member/module/number
Switch(config-if)# ip dhcp snooping trust

For untrusted ports, an unlimited rate of DHCP requests is accepted. If you want to rate-limit DHCP traffic on an untrusted port, use the following interface configuration command:

Switch(config)# interface type member/module/number
Switch(config-if)# ip dhcp snooping limit rate rate

The rate can be 1 to 2048 DHCP packets per second.

You also can configure the switch to use DHCP option-82, the DHCP Relay Agent Information option, which is described in RFCs 3046 and 6607. When a DHCP request is intercepted on an untrusted port, the switch adds its own MAC address and the switch port identifier into the option-82 field of the request. The request then is forwarded normally so that it can reach a trusted DHCP server.

Adding option-82 provides more information about the actual client that generated the DHCP request. In addition, the DHCP reply (if any) echoes back the option-82 information. The switch intercepts the reply and compares the option-82 data to confirm that the request came from a valid port on itself. This feature is enabled by default. You can enable or disable option-82 globally with the following configuration command:

Switch(config)# [no] ip dhcp snooping information option

When DHCP snooping is configured, you can display its status with the following command:

Switch# show ip dhcp snooping [binding]

You can use the binding keyword to display all the known DHCP bindings that have been overheard. The switch maintains these in its own database. Otherwise, only the switch ports that are trusted or that have rate limiting applied are listed. All other ports are considered to be untrusted with an unlimited DHCP request rate.

As an example, interfaces Gigabit Ethernet 1/0/35 and 1/0/36 use access VLAN 104, are considered untrusted, and have DHCP rate limiting applied at three per second. A known DHCP server is located on the Gigabit Ethernet 1/1/1 uplink. Example 21-1 shows the configuration for this scenario.

Example 21-1 DHCP Snooping Configuration


Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 104
Switch(config)# interface range gigabitethernet 1/0/35 – 36
Switch(config-if)# ip dhcp snooping limit rate 3
Switch(config-if)# interface gigabitethernet 1/1/1
Switch(config-if)# ip dhcp snooping trust


Example 21-2 shows the resulting DHCP snooping status.

Example 21-2 DHCP Snooping Status Display


Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
104
Insertion of option 82 is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet1/0/35 no 3
GigabitEthernet1/0/36 no 3
GigabitEthernet1/1/1 yes unlimited
Switch#


IP Source Guard

Address spoofing is one type of attack that can be difficult to mitigate. Normally, a host is assigned an IP address and is expected to use that address in all the traffic it sends out. IP addresses are effectively used on the honor system, where hosts are trusted to behave themselves and use their own legitimate source addresses.

A rogue or compromised host PC does not necessarily play by those rules. It can use its legitimate address, or it can begin to use spoofed addresses—borrowed from other hosts or used at random. Spoofed addresses are often used to disguise the origin of denial-of-service attacks. If the source address does not really exist, no return traffic will find its way back to the originator.

Routers or Layer 3 devices can perform some simple tests to detect spoofed source addresses in packets passing through. For example, if the 10.10.0.0 network is known to exist on VLAN 10, packets entering from VLAN 20 should never have source addresses in that subnet.

However, it is difficult to detect spoofed addresses when they are used inside the VLAN or subnet where they should already exist. For example, within the 10.10.0.0 network on VLAN 10, as shown in Figure 21-1, a rogue host begins to send packets with a spoofed source address of 10.10.10.10. The 10.10.10.10 address is certainly within the 10.10.0.0/16 subnet, so it does not stand out as an obvious spoof. Therefore, the rogue host might be very successful in attacking other hosts in its own subnet or VLAN.

Image

Figure 21-1 Using a Spoofed Address Within a Subnet

Cisco Catalyst switches can use the IP source guard feature to detect and suppress address spoofing attacks—even if they occur within the same subnet. A Layer 2 switch, and a Layer 2 port in turn, normally learns and stores MAC addresses. The switch must have a way to look up MAC addresses and find out what IP address are associated with them.

IP Source Guard does this by making use of the DHCP snooping database and static IP source binding entries. If DHCP snooping is configured and enabled, the switch learns the MAC and IP addresses of hosts that use DHCP. Packets arriving on a switch port can be tested for one of the following conditions:

Image

Image The source IP address must be identical to the IP address learned by DHCP snooping or a static entry. A dynamic port access control list (ACL) is used to filter traffic. The switch automatically creates this ACL, adds the learned source IP address to the ACL, and applies the ACL to the interface where the address is learned.

Image The source MAC address must be identical to the MAC address learned on the switch port and by DHCP snooping. Port security is used to filter traffic.

If the address is something other than the one learned or statically configured, the switch drops the packet.

To configure IP Source Guard, first configure and enable DHCP snooping, as presented in the previous section. If you want IP Source Guard to detect spoofed MAC addresses, you also need to configure and enable port security.

For the hosts that do not use DHCP, you can configure a static IP source binding with the following configuration command:

Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface
type member/module/number

Here, the host’s MAC address is bound to a specific VLAN and IP address, and is expected to be found on a specific switch interface.

Next, enable IP source guard on one or more switch interfaces with the following configuration commands:

Switch(config)# interface type member/module/number
Switch(config-if)# ip verify source [port-security]

The ip verify source command inspects the source IP address only. You can add the port-security keyword to inspect the source MAC address, too.

To verify the IP source guard status, you can use the following EXEC command:

Switch# show ip verify source [interface type member/module/number]

If you need to verify the information contained in the IP source binding database, either learned or statically configured, you can use the following EXEC command:

Switch# show ip source binding [ip-address] [mac-address] [dhcp-snooping | static]
[interface type member/mod/num] [vlan vlan-id]

Dynamic ARP Inspection

Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question. If any other host is using that IP address, it responds with an ARP reply containing its MAC address.

The ARP process works well among trusted and well-behaved users. However, suppose that an attacker could send its own crafted ARP reply when it overhears an ARP request being broadcast. The reply could contain its own MAC address, causing the original requester to think that it is bound to the IP address in question. The requester would add the bogus ARP entry into its own ARP cache, only to begin forwarding packets to the spoofed MAC address.

In effect, this scheme places the attacker’s machine right in the middle of an otherwise legitimate path. Packets will be sent to the attacker instead of another host or the default gateway. The attacker can intercept packets and (perhaps) forward them on only after examining the packets’ contents.

Image

This attack is known as ARP poisoning or ARP spoofing, and it is considered to be a type of man-in-the-middle attack. The attacker wedges into the normal forwarding path, transparent to the end users. Cisco Catalyst switches can use the dynamic ARP inspection (DAI) feature to help mitigate this type of attack.

DAI works much like DHCP snooping. All switch ports are classified as trusted or untrusted. The switch intercepts and inspects all ARP packets that arrive on an untrusted port; no inspection is done on trusted ports.

When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported in the reply packet against known and trusted values. A switch can gather trusted ARP information from statically configured entries or from dynamic entries in the DHCP snooping database. In the latter case, DHCP snooping must be enabled in addition to DAI.

If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated. This action prevents invalid or spoofed ARP entries from being sent and added to other machines’ ARP caches.

You can configure DAI by first enabling it on one or more client VLANs with the following configuration command:

Switch(config)# ip arp inspection vlan vlan-range

The VLAN range can be a single VLAN ID, a range of VLAN IDs separated by a hyphen, or a list of VLAN IDs separated by commas.

By default, all switch ports associated with the VLAN range are considered to be untrusted. You should identify trusted ports as those that connect to other switches. In other words, the local switch will not inspect ARP packets arriving on trusted ports; it will assume that the neighboring switch also is performing DAI on all of its ports in that VLAN. Configure a trusted port with the following interface configuration command:

Switch(config)# interface type member/module/number
Switch(config-if)# ip arp inspection trust

If you have hosts with statically configured IP address information, there will be no DHCP message exchange that can be inspected. Instead, you can configure an ARP access list that defines static MAC-IP address bindings that are permitted. Use the following configuration commands to define the ARP access list and one or more static entries:

Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ip mac host sender-mac [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit

Now the ARP access list must be applied to DAI with the following configuration command:

Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]

When ARP replies are intercepted, their contents are matched against the access list entries first. If no match is found, the DHCP snooping bindings database is checked next. You can give the static keyword to prevent the DHCP bindings database from being checked at all. In effect, this creates an implicit deny statement at the end of the ARP access list; if no match is found in the access list, the ARP reply is considered invalid.

Finally, you can specify further validations on the contents of ARP reply packets. By default, only the MAC and IP addresses contained within the ARP reply are validated. This does not take the actual MAC addresses contained in the Ethernet header of the ARP reply.

To validate that an ARP reply packet is really coming from the address listed inside it, you can enable DAI validation with the following configuration command:

Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Be sure to specify at least one of the options:

Image src-mac: Check the source MAC address in the Ethernet header against the sender MAC address in the ARP reply.

Image dst-mac: Check the destination MAC address in the Ethernet header against the target MAC address in the ARP reply.

Image ip: Check the sender’s IP address in all ARP requests; check the sender’s IP address against the target IP address in all ARP replies.

Example 21-3 demonstrates where DAI is enabled for all switch ports associated with VLAN 104 on an access layer switch. The uplink to a distribution switch (Gigabit Ethernet 1/0/49) is considered to be trusted.

Example 21-3 Configuring DAI to Validate ARP Replies


Switch(config)# ip arp inspection vlan 104
Switch(config)# arp access-list StaticARP
Switch(config-acl)# permit ip host 192.168.1.10 mac host 0006.5b02.a841
Switch(config-acl)# exit
Switch(config)# ip arp inspection filter StaticARP vlan 104
Switch(config)# interface gigabitethernet 1/0/49
Switch(config-if)# ip arp inspection trust


You can display DAI status information with the show ip arp inspection command.

Exam Preparation Tasks

Review All Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 21-2 lists a reference of these key topics and the page numbers on which each is found.

Image

Image

Table 21-2 Key Topics for Chapter 21

Complete Tables and Lists from Memory

There are no memory tables in this chapter.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

DHCP snooping

ARP poisoning (also known as ARP spoofing)

dynamic ARP inspection (DAI)

Use Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should remember the basic keywords that are needed.

To test your memory of the configuration commands presented in this chapter, cover the right side of Tables 21-3 through 21-5 with a piece of paper, read the description on the left side, and then see how much of the command you can remember.

Image

Table 21-3 DHCP Snooping Configuration Commands

Image

Table 21-4 IP Source Guard Configuration Commands

Image

Table 21-5 Dynamic ARP Inspection Configuration Commands