DHCP Spoofing Questions
Here you will find answers to DHCP Spoofing Questions
Quick review of DHCP Spoofing:
DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.
The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.
Note: ARP is a stateless protocol so an ARP Reply sent to client does not require authentication
Question 1
What are three required steps to configure DHCP snooping on a switch? (Choose three)
A. Configure the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages.
B. Configure DHCP snooping globally.
C. Configure the switch as a DHCP server.
D. Configure DHCP snooping on an interface.
E. Configure all interfaces as DHCP snooping trusted interfaces.
F. Configure DHCP snooping on a VLAN or range of VLANs.
Answer: B D F
Explanation
To configure DHCP snooping feature, at least three steps must be done:
| Sequence and Description | Command |
| 1. Configure global DHCP snooping | Switch(config)# ip dhcp snooping |
| 2. Configure trusted ports (as least on 1 port). By default, all ports are untrusted |
Switch(config-if)# ip dhcp snooping trust |
| 3. Configure DHCP snooping for the selected VLANs | Switch(config)# ip dhcp snooping vlan {VLAN-ID | VLAN range} |
Other steps are just optional:
+ Configure DHCP Option 82
Switch(config)# ip dhcp snooping information option
+ Configure the number of DHCP packets per second (pps) that are acceptable on the port:
Switch(config-if)# ip dhcp snooping limit rate {rate}
Reference: SWITCH Student Guide
Question 2
Which statement is true about DHCP spoofing operation?
A. DHCP spoofing and SPAN cannot be used on the same port of a switch.
B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.
C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.
D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.
Answer: B
Explanation
First let’s analyze answer A.
Switched Port Analyzer (SPAN) feature copies network traffic from a VLAN or group of ports to a selected port. SPAN is generally referred to as Port mirroring. An example of configuring SPAN port is shown below:
| Switch(config)#monitor session 1 source interface FastEthernet 0/1 Switch(config)#monitor session 1 destination interface FastEthernet 0/2 |
The above configuration will capture all traffic from interface FastEthernet 0/1 and send it to interface FastEthernet 0/2.
Answer A is a bit unclear because SPAN involves 2 ports: source and destination ports; but we don’t know which port is mentioned. SPAN does not affect the switching function on the source port but it does affect the destination port: all incoming traffic is disable on destination port so DHCP spoofing cannot be done on this port. I suppose this question wants to mention about source port, which makes answer A incorrect.
Although it is not mentioned in the books but answer B is the best choice. If the DHCP server can create a static ARP entry that cannot be updated by a dynamic ARP packet then the attacker cannot change the MAC address information of the DHCP server on client -> B is correct.
Usually a switch does not have DHCP server services; also a static entry pointing towards the DHCP server will not help prevent DHCP spoofing -> C is not correct.
Place all unused ports in an unused VLAN can prevent VLAN Hopping, not DHCP spoofing -> D is not correct.
Question 3
Refer to the exhibit. What type of attack is being defended against?
A. Snooping attack
B. Rogue device attack
C. STP attack
D. VLAN attack
E. Spoofing attack
F. MAC flooding attack
Answer: E
Explanation
DHCP snooping is a method used to defend DHCP spoofing.
Question 4
An attacker is launching a DoS attack with a public domain hacking tool that is used to exhaust the IP address space available from the DHCP servers for a period of time. Which procedure would best defend against this type of attack?
A. Configure only trusted interfaces with root guard.
B. Implement private VLANs (PVLANs) to carry only user traffic.
C. Implement private VLANs (PVLANs) to carry only DHCP traffic.
D. Configure only untrusted interfaces with root guard.
E. Configure DHCP spoofing on all ports that connect untrusted clients.
F. Configure DHCP snooping only on ports that connect trusted DHCP servers.
Answer: F
Explanation
To defend DHCP spoofing attack, we only need to configure DHCP snooping on trusted interfaces because other ports are classified as untrusted ports by default.
Question 5
Refer to the exhibit. DHCP snooping is enabled for selected VLANs to provide security on the network. How do the switch ports handle the DHCP messages?
A. Ports Fa2/1 and Fa2/2 source DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages and respond to DHCP requests.
B. Ports Fa2/1 and Fa2/2 respond to DHCP requests only. Port Fa3/1 is eligible to source all DHCP messages.
C. Ports Fa2/1 and Fa2/2 are eligible to source all DHCP messages and respond to DHCP requests. Port Fa3/1 can source DHCP requests only.
D. All three ports, Fa2/1, Fa2/2, and Fa3/1, are eligible to source all DHCP messages and respond to DHCP requests.
Answer: C
Explanation
Trusted ports are allowed to send all types of DHCP messages. Untrusted ports can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. In this case, Fa2/1 & Fa2/2 are trusted (can send all types of DHCP messages) while Fa3/1 is untrusted (can only send DHCP requests).
Question 6
Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?
A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.
B. All switch ports in the Building Access block should be configured as DHCP trusted ports.
C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.
D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.
E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.
F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.
Answer: F
Explanation
All switch ports connecting to hosts should only send DHCP Requests and they are the ports that can be easily accessed by an attacker -> They should be configured as DHCP untrusted ports.
Could anyone pls explain a little more about Q.4. I am not understanding it well enough!
Q2 is one of those weird questions which Cisco throws at us in the exams sometimes. Maybe to test if we can think out of the box, on “uncharted territories”.
That stuff is not part of the curriculum for CCNP Switch but, yes, as the author of this site suggests B) is the best answer.
For those interested about more details on this page may offer more to chew on:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtautarp.html
@ Sayem: Answer F) doesn’t have a very fortunate wording and may have been blown off under other circumstances. But given the fact that the other answers are totally off-base, if we concentrate hard enough on it we can draw some meaning from it, as the explanation below it points out.
Namely, after you enable DHCP Snooping globally and then on the intended VLANs, by default all interfaces of the switch are considered “untrusted”. Therefore the only extra step you would need to take is to configure “snooping” (as the answer says – which in fact stands for configuring the interfaces as “trusted” in for DHCP Snooping) only for the interfaces uplink towards authorized DHCP servers (i.e. trunk ports or an access port if the server is connected locally to the same switch).
Q4: the only thing I can think of is to configure DHCP rate-limit for untrusted port, so that DHCP packets from hosts are “rate-limited”, therefore addresses from DHCP pool aren’t exhausted quickly. This is a defense against a DOS attack, not a spoofing attack.
Command: (config-if)# ip dhcp snooping limit rate pkts/s
If I have to choose an answer, I would choose F, since it’s the closest one (but it’s still not accurate in my opinion)
Q4: F is correct because the links to the other switches should be configured as trusted ports. Only the host ports should be configured as untrusted.
Do you want to pass your CCNA or CCNP exams in first attempt?
Well we have 100% latest and proven fresh dumps for you.
We gurantee your passing score and we can prove that we have the most current dumps with us
Special Offer:-We will provide you with dumps updates for 3 months.
Price :- 10$
For more details, Please email us at dumpsmania@hotmail.com
Hi Guys,
Seeing the answer right in front your eyes before making selection is annoying. So i grabs all of the questions on this site and put them into VCE file to make my life easier. Be sure to check back CertPrepare site regularly for updates.
Here is the file: http://www.4shared.com/file/C5hmKPbb/CCNP_642-813_CertPrepare-by_Hu.html
Best of luck !!!
Q4. It’s gotta be F, but F. is worded wrong here:
“F. Configure DHCP snooping only on ports that connect trusted DHCP servers.”
But the wording is wrong, should be:
F. Configure DHCP snooping ‘trust’ only on ports that connect trusted DHCP servers and enable rate-limiting.
Without rate-limiting, DHCP Snooping by itself does no good here; as this attack is not SPOOFING a DHCP server, but using up resources from a TRUSTED DHCP server by leasing a bunch of IPs very, very quickly. Need to Rate limit.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/dhcp.pdf
http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/
“It’s a good idea to enable rate limiting on the untrusted ports. This is specified in packets per second, and is used to prevent an attacker from hammering our DHCP server with so many requests that it exhausts all of the IP addresses it has to offer.”
By Q4 I think port security will help, because the attacker has to fake his MAC to get additional IP leased by the DHCP server. Rate limit to 20 will still permit to get 10 ip/sec and prevent real clients from getting their ip (because the limit is exceeded)
Why F, not A ?
Q6 Please explain . Why not A?
CCNP PRIDE.
Cuz sw1 , int fa 0/1 and sw2 int fa 0/1 are both connected to another port that has a original DHCP server and DHCP spoofing has to be put on acess layer switchs as says the best pratices ( PAGE 335 FROM FLG SWITCH)
Q5, Q6 on test today
@ CCNP PRIDE – If you placed all ports as untrusted, then no DHCP traffic would exit the switch to get to the server.
Nothing from this section in the test today.
Q3, Q5, Q6 in the exam today
q5 and q6 in exam today
For Q6 answer F is correct because all ports mean every single ports, even the ones that are connected to the distribution layer. In this case, you will be unable to receive dhcp messages at all. So rather only the ports that are connected to hosts should be un trusted.