AddThis Social Bookmark Button

Print

DHCP and DNS Security
Pages: 1, 2, 3

Using DHCP Securely

There is no such thing as secure DHCP. You'll see it over and over again in this chapter. However, there are ways to make a DHCP-based network a little more resistant to attack. There are several keys to doing this.



First, we must examine the common attack vectors against DHCP. Then we'll examine the countermeasures. And finally, we can look at the system overall and determine whether it's secure enough for our specific needs. If not, there is one simple answer: do not use DHCP. Manually configuring TCP/IP on client computers remains a viable option, and many companies throughout the world do it today. Although it incurs a fairly high TCO and requires a significantly larger IT staff, manual configuration is not without its place.

Overriding all our concerns about DHCP is one basic assumption. To mount a DHCP-based attack of any type, an intruder must have initial access to your network. That is, to hijack clients by sending DHCP Offers, the attacker must put his own computer with a DHCP server on your network. The same is true for all other attack vectors. So one way to help thwart DHCP-based attacks is to tightly control network access. This is discussed throughout the book, but especially in Chapter 14.

TIP: All the procedures listed here assume DHCP is already installed on the computer. Installation and normal operation of DHCP are beyond the scope of this book.

Configuring DHCP for proper administration

Windows Server 2003 provides a user group called DHCP Administrators. This group contains all user accounts that are authorized to modify DHCP settings. The membership for this group should be tightly controlled and audited to ensure that no unauthorized users are added to it. This will help prevent both accidental and intentional misconfigurations and help prevent security incidents and denial-of-service occurrences.

Monitoring DHCP for DOS attack

The first and simplest attack against DHCP is to lease all the addresses in its database. As discussed earlier, leasing all the addresses is a fairly simple attack that causes a denial of service by stopping legitimate computers from obtaining DHCP addresses.

A DHCP denial-of-service attack cannot be truly prevented. However, it can be detected early and stopped in its tracks. To do this, you must monitor DHCP. Monitoring DHCP can show you how many leases have been issued over time and can indicate an attack by showing a massive spike or prolonged above-average lease requests. You can also monitor servers to determine when their percentage of available addresses falls below a determined criteria, perhaps 5%. Either of these statistics could indicate a DHCP-focused attack.

To monitor DHCP, you can use the DHCP MMC snap-in, the System Monitor tool, or the Performance Logs and Alerts snap-in. Both the DHCP and System Monitor tools give great snapshots of what's happening with the server at that moment. However, they're not as useful for gathering data over time and identifying trends. To do that, we'll need to use Performance Logs and Alerts.

Knowing what we do about DHCP, we can assume that a denial-of-service attack will take the form of continuous DHCP Discover and DHCP Request messages being received. We can create an administrative alert to tell us when an abnormally high number of DHCP Requests are received on a server.

Before we begin, we must baseline the DHCP traffic. Baselining is, simply put, observing the normal operation of the server to see what it does. In our example, we must baseline the DHCP traffic coming into the server. There are many ways to baseline, but for this book, we'll keep it simple. We'll baseline the DHCP Request traffic over three normal workdays to determine the average traffic that we should expect.

To do this, we follow this procedure:

  1. Click Start → Run, type Perfmon.exe, and then press Enter. This brings up the Performance snap-in which is a combination of System Monitor and Performance Logs and Alerts.

  2. Double-click Performance Logs and Alerts, and then double-click Counter Logs.

  3. Right-click Counter Logs, and then click New Log Settings.

  4. Type a name for the log, such as DHCP Offer traffic. Then click Enter.

  5. Click Add Counters.

  6. Under Performance Object, select DHCP Server. Then under Select Counters from List, select Requests/sec. Click Add to add this counter. Then click Close.

  7. Click OK. If the folder for the performance log does not exist, you will be prompted to allow its creation. Click Yes.

Once the three days have elapsed, you will be able to view the counter log and determine what the average DHCP Offer traffic is for this computer. Let's assume for brevity that you determine from this log that the maximum DHCP Offers per second the server encountered was 15. This helps us determine when an attack might be taking place.

There is no exact science to determining a number that indicates a problem. You need to decide whether you want more false positives or false negatives. In this case, let's assume a safe number is 20. If your DHCP server encounters more than 20 DHCP Requests per second, you want to know so you can examine the situation and determine whether an attack is taking place.

You can do this by setting up an administrative alert. as shown here:

  1. Click Start → Run, type Perfmon.exe, and then press Enter. This brings up the Performance snap-in which is a combination of System Monitor and Performance Logs and Alerts.

  2. Double-click Performance Logs and Alerts, and then double-click Alerts.

  3. Right-click Alerts, and then click New Alert Settings.

  4. Provide a name for this alert, such as DHCP DOS attack. Then click Enter.

  5. Click Add.

  6. Under Performance Object, select DHCP Server. Then under Select Counters from List, select Requests/sec. Click Add to add this counter. Then click Close.

  7. Click the Action tab. This is where you tell the alert what to do when the threshold is met.

  8. Click OK.

Figure 11-1. The flow of a basic DHCP lease
Figure 11-4. This alert logs an event and sends a network message to the author

You now have a tool in place that will help you identify DHCP denial-of-service attacks. There are other tools and processes you could use, to be sure, but this one is included in Windows Server 2003, takes very little time to set up, and is reasonably effective.

Auditing DHCP

Auditing DHCP is, from an attack detection perspective, essentially the same as monitoring the DHCP performance counters. You collect statistical data and determine whether an attack is occurring based on that data. However, auditing DHCP activity can give us more specific information and allow us to examine attacks in greater detail.

Enabling auditing for DHCP is a simple task. Use the following steps:

  1. Click Start → All Programs → Administrative Tools → DHCP. This opens the DHCP Management MMC snap-in.

  2. Double-click the name of your DHCP server to select it.

  3. Click Action, and then click Properties.

Figure 11-5. The DHCP audit log is enabled
Figure 11-5. The DHCP audit log is enabled

Now the DHCP server will log all tasks that it performs. The log is a text file stored in the %SystemRoot%\System32\dhcp directory by default. You can change this directory by modifying the path under the Advanced tab in the previous dialog box. The files are stored with the filename of DhcpSrvLog-day.log where day is a three-letter abbreviation for the day of the week, such as Mon, Tue, and so on.

Pages: 1, 2, 3

Next Pagearrow