dhcp spoofing attacks
dhcp消息
dhcp messages
dhcp discover 广播
dhcp offer 单薄
dhcp request 广播
dhcp ack 单薄
思科dhcp消息全是广播
源端口68,服务器端口67.
untrusted不能接收dhcp offer,dhcp ack
全局激活dhcp snooping
把dhcp snoping配置某个vlan
配置trusted,不配的就是untrusted
配置untrusted限制discover消息
配置
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping vlan 10,20
int f0/1
description access port
ip dhcp limit rate 50
int f0/24
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trust
实验:
sw:
vlan 20 name testvlan2
int range f0/1,f0/2
sw mode access
sw access vlan2
int vlan 2
ip add 10.1.1.254 255.255.255.0
ip dhcp pool vlan 2
network 10.1.1.0 255.255.255.0
default-router 10.1.1.254
ip dhcp snooping
ip dhcp snooping vlan 2(在vlan2启用dhcp snooping)
int f0/4
ip dhcp snooping trust(排除上联接口)
ip dhcp snooping information option(默认开启,option 82选项,交换机作为中继设备,把广播交给交换机,插入82选项,包含交换机接口的mac地址)
int f0/1
ip dhcp snooping limt rate 10(限制10个dhcp的包,超过就会shutdown)
show ip dhcp snooping
show ip dhcp snooping binding(查看dhcp绑定表,有mac地址,ip地址,租用时间,vlan,接口)
arp poisoning(arp毒化技术)
dai动态arp监控
需要利用dhcp snooping绑定表资源。
追踪dhcp整个过程
会丢掉有问题免费arp的包
低于中间人攻击
低于扫描攻击
关于dai
关联每个接口trusted和untrusted
所有trusted接口,所有arp都不做校验
untrusted需要做校验,
dhcp snooping绑定表,根据绑定表的内容。
pc untrusted,上行接口trusted.只能本地校验。
配置:
ip dhcp snooping
ip dhcp snooping vlan 10,20
ip arp inspection vlan 10,20
int f0/1
ip dhcp limit rate 50
int f0/24
description uplink
switchport mode trunk
switchport trunk allowed vlan 10,20
ip dhcp snooping trunst
ip arp inspection trust
实验:
sw:
ip arp inspection vlan2(在vlan2启用arp监控技术)
int f0/4
ip arp inspection trunst(针对连接设备或上联设备为trunst)
arp access-list test
permit ip host 10.1.1.2 mac host 0017.5aa7.2d28 (arp访问控制列表,arp手工映射)
ip arp inspection filter test vlan2(在vlan2监控调用)
int f0/1
ip arp insection limit rate 10(限制arp包的数量,超过shutdown)
ip souce guard抵御ip地址欺骗
也是基于dhcp snooping绑定表
端口安全,能够对ip和mac欺骗。
实验:
sw:int f0/1
switchport port-security
ip verify souce port-security(基于ip和mac过滤)
show ip verify souce
ip source binding 0017.5aa7.2d28 vlan 2 10.1.1.2 int f0/2(如果绑定表没有,手工敲ip source绑定表)
int f0/2
ip verify source(基于ip地址过滤)
就算不适用dhcp snooping绑定表,全部手工绑定,也必须敲ip dhcp snooping和ip dhcp snooping vlan 2.