The ports that are not configured as the allowed ports, it immediately discards those messages. Once DHCP snooping is configured, the switch will accept Offer/ACK messages only on the ports that are configured as the allowed (trusted) ports. So we will configure DHCP snooping to allow Offer/ACK messages only on port Fa0/11. In our example, the DHCP server is connected to the port Fa0/11. To understand it in more detail, let's take our example back. This configuration will mitigate the threat of the man-in-middle attack on DHCP servers. Since a DHCP client never uses the Offer and ACK messages, DHCP snooping can be configured to filter these messages on ports that are connected to DHCP clients. From these messages, DHCP clients use Discover and Request messages while DHCP servers use Offer and ACK messages.
How does DHCP snooping protect the network from the man-in-middle attack?ĭHCP uses four different types of messages: Discover, Offer, Request, and ACK. The following image shows how data flows between the client and the default gateway after a man-in-middle attack. But this time, the client receives IP configuration from the attacker's DHCP server. The following image shows the same example network. In this network, the client receives an IP configuration from the DHCP server and uses the received IP configuration to connect to the remote network. The following image shows an example network.
Let's take a simple example to understand how it works. This attack is known as the man-in-middle attack on the DHCP server. Since all packets sent by the client reach the default gateway through the attacker device, the attacker can make a copy of all packets or can steal the sensitive information from the packets. The attacker device reroutes them to the original gateway. When the client uses this modified configuration, all packets sent by the client to the default gateway reach the attacker device. This configuration contains the gateway IP address of the attacker's device instead of the original gateway. The modified IP configuration contains all addresses the same except the gateway IP address. When a DHCP client sends a local broadcast message to obtain an IP configuration, the attacker's device receives this message and lease a modified IP configuration to the client. In such an attack, an attacker configures a replicated DHCP server on his device and connects that device to the local network. The following image shows how DHCP snooping works. Based on its configuration, DHCP snooping either let the message in or discard the message. If an incoming message is related to DHCP, the DHCP snooping uses its logic. If an incoming message is not related to DHCP, the DHCP snooping lets it in. It inspects all incoming messages on the port.
0 kommentar(er)
