02-18-2014 12:43 AM
A customer I'm working with had a particular concern regarding DHCP consumption attacks. I did a bit of research, but I've got a couple of gaps I'd be interested in views on.
In the first instance, you'd expect this kind of attack to come from a tool such as Yersinia. Having not tried it yet (and the online info seems lacking in some detail), my assumption is that this particular tool works by randomising the MAC within the inner DHCP request itself, rather than the real outer MAC of the frame. Does anybody know if this is the case?
If that's correct, the Cisco recommendations look sensible in terms of DHCP snooping and DAI (both possible for this customer). Add to that I was considering enabling "Prevent DHCP exhaustion" on the controller for a bit extra protection. This did get me thinking along a couple of other lines though.
Firstly, I can go and read all the release notes, but does anybody know if we can now safely use ARP spoofing prevention in 126.96.36.199? I know there were some challenges with this before. I'm assuming this works similarly to IP spoofing prevention (first come first served kind of thing)?
Second, does anybody know of any exploits that involve DHCP crafting that actually does alter the real client MAC? I.e. hundreds of crafted DHCP requests from different MACs, with the origin of the same client device? This sounds horrible. If this could be done, do we have any features to combat it? It strikes me this might have to be an RFP centric feature?