Nortel Networks Prevent Rogue DHCP Server Attacks with DHCP Snooping and Spoofing Solutions
Page 36

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

10.2 DHCP Attacks

Figure 4: DHCP Attack Example

There are two types of attacks that can occur with DHCP:

An attacker could request multiple IP addresses from a DHCP server by spoofing its source MAC address. This can be achieved by using a tool such as gobbler: http://www.networkpenetration.com/downloads.html. If the attack is successful, all leases on the DHCP server will be exhausted.

The second method is where the network attacker sets up a rogue DHCP server and responds to new DHCP requests from clients on the network. The attackers DHCP server could be setup to send DHCP responses using its address for the default gateway and DNS server. This would allow the attacker to sniff out the client’s traffic and allowing for a ‘man-in-the-middle’ attack.

The Ethernet Routing Switch 5500 offers the following solutions to overcome the issues raised above.

DHCP Snooping

The DHCP Snooping QoS Application operates by classifying ports as access (untrusted) and core (trusted) and only allowing DHCP requests from the access ports. All other types of DHCP messages received on access ports are discarded. This prevents rogue DHCP servers from being set-up by attackers on access ports and generating DHCP responses that provide the rogue server’s address for the default gateway and DNS server. This helps prevent DHCP “man- in-the-middle” attacks. The user will need to specify the interface type for the ports on which they wish to enable this support.

Based on Figure 4 above, enter the following commands to enable DHCP Snooping

5530-24TFD(config)#interface fastEthernet all

5530-24TFD(config-if)#qos dhcp snooping port 1-10 interface-type access

5530-24TFD(config-if)#qos dhcp snooping port 24 interface-type core

DHCP Spoofing

Another method that is used to combat rogue DHCP servers is to restrict traffic destined for a client's DHCP port (UDP port 68) to that which originated from a known DHCP server's IP address.

The DHCP Spoofing QoS Application will require the identification of the valid DHCP server address and the ports on which the DHCP Spoofing support should be applied. This will cause two policies to be installed on these interfaces to perform the following operations:

1.Pass DHCP traffic originated by the valid DHCP server.

2.Drop DHCP traffic originated by all other hosts.

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

35

Page 35 Page 37
Image 36
Page 35 Page 37
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Figures List of TablesDocument Updates SymbolsConventions TextOverview Ethernet Routing Switch 5500 QoS and Filtering Classification Untrusted PortsUnrestricted Ports ƒ Layer 2 Classifier ElementsActions Supported StatisticsQoS Flow Chart Filter Functionality Overall Classification FunctionalityClassifier Block Functionality Port Range Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min =Default Policy Drop Action PoliciesNN48500-559 5520-24T-PWRconfig#qos agent buffer large maximum regular 5520-24T-PWRconfig#default qos agent bufferQueue Sets Ethernet Routing Switch 5500 Egress CoS Queuing Egress CoS QueuingCoS 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#qos agent queue set5520-24T-PWRconfig#default qos agent queue-set 5520-24T-PWRconfig#qos agent reset-defaultEgress Queue Recommendations Traffic Meter and Shaping Bucket SizeActual Bucket Size Policing TrafficActual Bucket Size in Bytes Actual size in bytes Interface Parameter DescriptionExample Interface Shaper Meter Bucket Size and DurationBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Default Nortel Class of Service Default Nortel CoS MarkingsBinary Hex DecimalQoS Access Lists ACL ACL ConfigurationIP-ACL Configuration Config#qos ip-acl name 1..16 character string ?2 L2-ACL Configuration ACL-Assign ConfigurationACL Configuration Example Config#qos l2-acl name 1..16 character string ?Verification 5530H-24TFD#show qos acl-assign5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy 5500config#no qos acl-assign 5500config#no qos acl-assign 1 port 1/195500config#no qos ip-acl Changing ACLIP Security Features Dhcp Snooping ConfigurationDynamic ARP Inspection Configuration Dhcp SnoopingIP Source Guard Configuration IP Source GuardBpdu Filtering Configuration Bpdu FilteringQoS Applications Number of Classifiers Used Feature QoS Interface ApplicationsConfiguration Example ARP SpoofingDhcp Attacks Dhcp Snooping10.3 DoS Bpdu Blocking Configuration Steps Policy Configuration Role CombinationERS5500-48T#show qos if-assign ERS5500-48T#show qos if-groupERS5500-48Tconfig#qos ip-element 1-64000? ClassificationAdding IP and L2 Element IP ElementAdding a Classifier Adding a Classifier BlockMeters Parameters and variables DescriptionAdd a New Policy Configuration Examples Pre-defined ValuesQoS Action Configuration Example 1 Traffic Meter Using Policies 12.2.1 ERS5500 Configuration Using PoliciesConfigure the Interface Role Combination Configure the IP elementsConfigure Meters Configure the Classifier BlockERS5500 Create the classifier block Configure the Policy Verify OperationsERS5500 Create the policy Verify the Role CombinationVerify Classifier and Classifier Block Configuration Name m1ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy 12.3.1 ERS5500 Configuration IP ACL, Dhcp Snooping, ARP Inspection, and Source GuardERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 ERS5500 Assign the IP-ACL’s to ports Verify DHCP-SnoopingVerify ARP Inspection VIDVerify ACL Configuration Verify IP Source GuardNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign Configuration Example 3 Port Range Using ACL or Policy TCP Port RangeConfiguration Using Policies Configure the PoliciesERS5500 Create IP elements for UDP port range Configuration Using IP-ACL’s ERS5500 Remark all other traffic to Bronze12.5.1 ERS5500 Configuration Using Policies Create Policy12.5.2 ERS5500 Configuration Using IP-ACL’s ERS5500 Pass all other traffic with standard CoSERS5500 Assign the L2-ACL’s to ports Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using PoliciesConfigure Classifier and Classifier Blocks ERS5500 Add L2 elements for Vlan 11012.7.1 ERS5500 Configuration Dscp Mapping via Un-restricted Port RoleACL Configuration Policy ConfigurationView the Queue Assignments ID IDConfiguration Example 7 Interface Shaping Enable Shaping on PortVerify Shape Rate Configuration Software Baseline Reference DocumentationContact us
Top Page Image Contents