>> DHCP - Dynamic Host Configuration Protocol allows clients to automatically get leaseson IP addresses and other configurations parameterswithout having to be manually configured .Most DHCP servers in a company are on a subnet with other servers, like DNS servers.In other words, clients are not going to be on the same subnet as their servers.In the world of DHCP, relay agents take the DHCP discover broadcasts, turn them into unicasts,and send them to the DHCP servers, who send the DHCP offers back to the relay agents,who relay them back to the clients.If a client gets multiple offers, as there should be more than one DHCP server,or any server for that matter, for full tolerance and load balancing,usually the first offer is accepted.You could imagine that if there was a DHCP server on a client's subnetthat heard the DHCP discover broadcast, it would send a DHCP offer in response a lot quickerthan the actual DHCP servers, which have to wait for the relay agent's traffic to be routedacross multiple hops and then back again.Therefore, an attacker can place a nefarious, insidious rogue DHCP server on a subnetto respond to DCHP discover messages.The rogue DHCP server will answer a DHCP discoverwith a DHCP offer containing the normal information given out to the clientsin that autonomous system with one small difference.It lists itself as the default gateway.When clients need to send traffic off their network, and need the mac addressof their default gateway, they will now ARP for the mac address of the attacker,thinking that the attacker IP address is the actual gateway IP address.All remote traffic will be sent directly to the attacker, who can sniff the packets,perform a man-in-the-middle attack, and perform reconnaissance.There are a bunch of programs to detect the presence of a rogue DHCP server,and they all really follow the same algorithm.Send a DHCP discover message, and check if any DHCP offers come back from IP addresses notin an authorized DHCP servers' list.To mitigate this attack, we can implement the security mechanism knownas DHCP snooping at the layer 2 switch.When DHCP snooping is enabled, switch ports are put into oneof two categories, trusted or untrusted.It's really very simple, the switch ports that DHCP servers connect to, both directlyand indirectly, including switch portsthat routers are connected to, are labeled as trusted ports.Every other switch port connected to a host is labeled "untrusted."Think back to DHCP's DORA.Discover, Offer, Request, and Ack.Clients send DHCP discover broadcast datagrams into the switch, which floods any broadcastout of all ports, except the port on which the message originated.Now, here's the kicker.DHCP offers coming from an untrusted port are dropped,since there should be no legitimate DHCP servers connected to that port.Furthermore, the switch port automatically shuts down.DHCP offers coming from a trusted port are treated as they always are, sent in most casesas unicast messages to the systems that sent the DHCP discovers.DHCP snooping also keeps track of the completed DHCP bindings, when DORA completes.Included in this database are client mac address,client IP address, lease time, interface, and more.
转载于:https://www.cnblogs.com/sec875/articles/10028778.html
相关资源:JAVA上百实例源码以及开源项目