2

I read about a couple of layer 2 protections against dhcp starving, mac and ip spoofing- ip guard, dhcp snooping and dynamic arp inspection.

Are there any cons or vulnerabilies which enable bypassing them or are they safe to use?

I have noticed that each record in the dhcp binding table has a time to live and the table itself has a limited size, but I dont see how can it help the attack.

adi
  • 101
  • 8

1 Answers1

1

TL;DR - They are safe to use, but, it depends in the configuration and implementation of your solution (as you noted - the dhcp binding table could become a problem, since IP source guard and ARP Inspection are relying on it).

DHCP Snooping with ARP Inspection

ARP Inspection and DHCP Snooping are great combination together ("supercouple").

As long as you whitelist the trusted ports in your switch, use ARP Inspection (that will prevent MAC spoofing) and correct static DHCP binding table, you will be pretty safe.

Why is that?

  1. ARP Inspection will keep that no one could spoof his MAC
  2. DHCP binding table - the ARP Inspection uses the DHCP binding table, by validating the MAC and the
  3. Whitelist the trusted ports will keep the devices under the switch safe from other machines that are trying to pretend as DHCP servers

DHCP binding table and IP Source Guard

Just as with the ARP Inspection, also this solution relies on the DHCP binding table.

General Tips

  • If you have a lot of "temp" users in the network, use a short lease in your binding table (as you have mentioned, the table is limited)
  • In order to use ARPI or IP Guard, you have to activate the DHCP snooping (and in general, use all three of them together).
user3467955
  • 226
  • 1
  • 4
  • What do you mean by static dhcp binding? And what about sending crafted packets from untrusted ports with both fake ip and mac address ( which are not currently exist in the lan) in order to overflow the dhcp binding table, will it work? – adi Apr 18 '20 at 22:37
  • 1
    Static DHCP table that is updated manually. If you are spoofing the MAC/IP it won't work, because of the ARPI/IP Guard :) The combination here is the key. In some of the cases, you can also define a limit for different MAC addresses from a certain port. Read this for more - https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html – user3467955 Apr 18 '20 at 22:46
  • 1
    Um ok, spoofing wont work because dai or ip guard will compare this couple ( the mac and the ip) to the binding table and check for mismatch between the couple. So, will using a couple of ip and mac ( none of them in the table) be dropped too? And yes, limiting the mac addresses per port is a best practice :) – adi Apr 18 '20 at 22:56
  • 1
    Exactly. for example, every unknown IP (== doesnt appear on the binding table) will be filtered by the IP source guard. – user3467955 Apr 18 '20 at 23:11