二層攻擊防范技術(shù)在企業(yè)網(wǎng)絡(luò)中有多種基于二層的攻擊手段，防火墻針對(duì)這些二層攻擊手段都有其相應(yīng)的防御手段。在本課程中，介紹一些常見(jiàn)的二層攻擊及防范方法。學(xué)完本課程后，您將能夠:了解DHCPSnooping技術(shù)了解ARPSpoofing攻擊及其防御原理了解IPSG技術(shù)了解DAI技術(shù)了解端口安全技術(shù)DHCPSnoopingARPSpoofingIPSGDAI端口安全DHCPSnooping概述DHCPSnooping功能用于防止：DHCPServer仿冒者攻擊；中間人攻擊與IP/MACSpoofing攻擊；改變CHADDR值的攻擊；Option82。IP地址MAC地址地址租約綁定類型VLANID12345接口信息6主要目的DHCPDoSDHCP仿冒中間人攻擊SpoofingDHCPServer仿冒者攻擊DHCP服務(wù)器偽造DHCP服務(wù)器DHCPRequest╳DHCPACK123123不信任接口信任接口√DHCPACK√DHCPdiscovery(broadcast)DHCPoffer(unicastfromthepseudoserver)DHCPrequest(broadcast)DHCPack(unicastfromthepseudoserver)配置防止DHCPServer仿冒者攻擊DHCPServer仿冒者可通過(guò)二層或三層口進(jìn)行攻擊，配置時(shí)需要區(qū)分二層和三層的不同場(chǎng)景。在系統(tǒng)視圖下執(zhí)行dhcpsnoopingenable，使能DHCPSnooping功能。在接口（三層）或VLAN（二層）視圖下，執(zhí)行命令dhcpsnoopingenable

interface

interface-typeinterface-number，使能接口/VLAN下的DHCPSnooping功能。dhcpsnoopingtrusted

interface

interface-typeinterface-number，配置連接DHCPServer的VLAN或接口為“信任”狀態(tài)。中間人與IP/MACSpoofing攻擊動(dòng)態(tài)IP與MAC綁定表靜態(tài)IP與MAC綁定表IP與MAC綁定表I’mreally10.1.0.2我是服務(wù)器10.0.0.1IP:10.0.0.1IP:10.1.0.2我是客戶端10.1.0.2I’mreally10.0.0.1配置防止中間人與IP/MACSpoofing攻擊執(zhí)行命令dhcpsnoopingcheck{arp|ip|dhcp-chaddr|dhcp-request}enable[interface

interface-typeinterface-number]，配置VLAN的報(bào)文檢查。執(zhí)行命令dhcpsnoopingbind-tablestatic

ip-address

ip-address

mac-address

mac-address[interface

interface-typeinterface-number]，配置IP與MAC綁定表的靜態(tài)表項(xiàng)。注意事項(xiàng)：對(duì)于動(dòng)態(tài)分配給用戶的IP地址，設(shè)備會(huì)自動(dòng)學(xué)習(xí)用戶的MAC地址并建立綁定關(guān)系表，此時(shí)不需要配置綁定表。對(duì)于靜態(tài)分配給用戶的IP地址，設(shè)備不會(huì)自動(dòng)學(xué)習(xí)用戶的MAC地址，也不能建立綁定關(guān)系表，所以需要手動(dòng)建立綁定關(guān)系表。改變CHADDR值的DoS攻擊CHADDR：ClientHardwareAddress。攻擊者改變的不是數(shù)據(jù)幀頭部的源MAC地址，而是改變DHCP報(bào)文中的CHADDR。檢查DHCPRequest報(bào)文中CHADDR字段。L2NetworkFWDHCPRelayServerDHCPClientAttackerL3Network配置防止改變CHADDR值的DoS攻擊二層接口場(chǎng)景下，VLAN視圖下：執(zhí)行命令dhcpsnoopingenable

interface

interface-typeinterface-number，使能VLAN或的DHCPSnooping功能。執(zhí)行命令dhcpsnoopingcheck

dhcp-chaddr

enable

interface

interface-typeinterface-number，配置VLAN報(bào)文的CHADDR檢查。三層接口場(chǎng)景，在接口視圖下：執(zhí)行命令dhcpsnoopingcheck

dhcp-chaddr

enable，配置對(duì)報(bào)文的CHADDR的檢查功能。Option82（仿冒DHCP續(xù)租報(bào)文攻擊）應(yīng)用場(chǎng)景：當(dāng)網(wǎng)絡(luò)中存在攻擊者時(shí)，攻擊者通過(guò)不斷發(fā)送DHCPRequest報(bào)文來(lái)冒充用戶續(xù)租IP。防范原理：可以在設(shè)備上配置DHCPSnooping功能，檢查DHCPRequest報(bào)文和使用DHCPSnooping綁定功能。L2NetworkFWDHCPRelayServerDHCPClientAttackerL3NetworkUntrustTrustOption82報(bào)文格式Option82是DHCP報(bào)文的一個(gè)特殊字段，供DHCPRelay設(shè)置，用來(lái)標(biāo)識(shí)DHCPRequest報(bào)文的發(fā)送路徑。82Ni1i2i3i4i5…iNCodeLengthAgentInformationField1Na1a2a3a4a5…aN2Nb1b2b3b4b5…bN9Nc1c2c3c4c5…cNSubOptLengthSub-OptionValue圖1圖2配置防止仿冒DHCP續(xù)租報(bào)文攻擊配置防止仿冒DHCP續(xù)租報(bào)文攻擊，需要首先完成VLAN/接口下DHCPSnooping使能項(xiàng)、接口下dhcp-request報(bào)文檢查、以及IP與MAC地址靜態(tài)綁定的相關(guān)配置，在此不作贅述。二層接口場(chǎng)景下，VLAN視圖下，分為以下兩種情況：執(zhí)行命令dhcpoption82insertenableinterface

interface-typeinterface-number，使能Option82功能。執(zhí)行命令dhcpoption82rebuildenableinterface

interface-typeinterface-number，使能強(qiáng)制插入Option82功能。三層接口場(chǎng)景，在接口視圖下，分為以下兩種情況：執(zhí)行命令dhcpoption82insertenable，使能Option82功能。執(zhí)行命令dhcpoption82rebuildenable，使能強(qiáng)制插入Option82功能。項(xiàng)目數(shù)據(jù)（1）接口：GigabitEthernet1/0/0IP地址：10.1.1.254/24（2）接口：GigabitEthernet1/0/1IP地址：100.1.1.1/24DHCP服務(wù)器地址100.1.1.2/24USGDHCPReplayFWDHCPRelayServerDHCPClient1DHCPClient2IP10.1.1.1/24Mac:00e0-fc5e-008aL3NetworkTrustedSwitchUntrusted（1）（2）DHCPSnooping配置舉例DHCPSnooping配置步驟（1）配置DHCPRelay的基本功能：配置接口GigabitEthernet0/0/1接口地址：配置DHCP中繼功能接口：<USG>system-view[USG]sysnameDHCP-Relay[DHCP-Relay]interfaceGigabitEthernet1/0/1[DHCP-Relay-GigabitEthernet1/0/1]ipaddress100.1.1.124[DHCP-Relay]interfaceGigabitEthernet1/0/0[DHCP-Relay-GigabitEthernet1/0/0]ipaddress10.1.1.25424[DHCP-Relay-GigabitEthernet1/0/0]dhcpselectrelay[DHCP-Relay-GigabitEthernet1/0/0]iprelayaddress100.1.1.2DHCPSnooping配置步驟（2）開啟DHCPSnooping功能，配置Trusted接口：?jiǎn)⒂萌趾徒涌诘腄HCPSnooping功能：配置DHCPServer側(cè)接口配置為“Trusted”：[DHCP-Relay]dhcpsnoopingenable[DHCP-Relay]interfaceGigabitEthernet1/0/0[DHCP-Relay-GigabitEthernet0/0/0]dhcpsnoopingenable[DHCP-Relay]interfaceGigabitEthernet1/0/1[DHCP-Relay-GigabitEthernet1/0/1]dhcpsnoopingenable[DHCP-Relay-GigabitEthernet1/0/1]dhcpsnoopingtrustedDHCPSnooping配置步驟（3）配置對(duì)特定報(bào)文的檢查和DHCPSnooping綁定表：[DHCP-Relay]interfaceGigabitEthernet1/0/0[DHCP-Relay-GigabitEthernet1/0/0]dhcpsnoopingcheckarpenable[DHCP-Relay-GigabitEthernet1/0/0]dhcpsnoopingcheckipenable[DHCP-Relay-GigabitEthernet1/0/0]dhcpsnoopingcheckdhcp-requestenable[DHCP-Relay-GigabitEthernet1/0/0]dhcpsnoopingcheckdhcp-chaddrenable[DHCP-Relay-GigabitEthernet1/0/0]dhcpsnoopingbind-tablestaticip-address10.1.1.1mac-address00e0-fc5e-008aDHCPSnooping配置步驟（4）配置DHCP上送速率限制和配置Option82：顯示DHCPSnooping綁定表的靜態(tài)表項(xiàng)信息：[DHCP-Relay]dhcpsnoopingcheckdhcp-rate90[DHCP-Relay]dhcpsnoopingcheckdhcp-rateenable[DHCP-Relay]interfaceGigabitEthernet1/0/0[DHCP-Relay-GigabitEthernet0/0/0]dhcpoption82insertenable<sysname>displaydhcpsnoopingbind-tablestaticbind-table:ifnamevrfvsip/cvlanmac-addressip-addresstpleaseVlanif10000-0000/00000011-0022-00341.2.3.0S0DHCPSnoopingARPSpoofingIPSGDAI端口安全ARPSpoofing原理IP地址MAC地址Type10.1.1.3C-C-CDynamicIP地址MAC地址Type10.1.1.3D-D-DDynamicUserA的ARP表項(xiàng)InternetUserAUserBAttackerIP:10.1.1.1MAC:A-A-AIP:10.1.1.2MAC:B-B-BIP:10.1.1.3MAC:C-C-C攻擊者回應(yīng)欺騙報(bào)文在系統(tǒng)視圖下，執(zhí)行命令firewalldefendarp-spoofingenable，開啟ARP欺騙攻擊防范功能。DHCPSnoopingARPSpoofingIPSGDAI端口安全I(xiàn)PSG背景隨著網(wǎng)絡(luò)規(guī)模越來(lái)越大，基于源IP的攻擊也逐漸增多，一些攻擊者利用欺騙的手段獲取到網(wǎng)絡(luò)資源，取得合法使用網(wǎng)絡(luò)的能力，甚至造成被欺騙者無(wú)法訪問(wèn)網(wǎng)絡(luò)，或者信息泄露，造成不可估量的損失。IPSourceGuard是指設(shè)備在作為二層設(shè)備使用時(shí)，利用綁定表來(lái)防御IP源欺騙的攻擊。當(dāng)設(shè)備在轉(zhuǎn)發(fā)IP報(bào)文時(shí)，將此IP報(bào)文中的源IP、源MAC、端口、VLAN信息和綁定表的信息進(jìn)行比較，如果信息匹配，說(shuō)明是合法用戶，則允許此用戶正常轉(zhuǎn)發(fā)，否則認(rèn)為是攻擊者，丟棄該用戶發(fā)送的IP報(bào)文。IP/MAC欺騙攻擊典型場(chǎng)景IP:1.1.1.2/24MAC:2-2-2IP:1.1.1.3/24MAC:3-3-3IP:1.1.1.1/24MAC:1-1-1IP:1.1.1.3/24MAC:3-3-3AttackerDHCPClientDHCPServer收到一個(gè)用戶的IP和MAC，我要刷新MAC信息到我的端口下SwitchIPSG防御原理IP:1.1.1.2/24MAC:2-2-2IP:1.1.1.3/24MAC:3-3-3IP:1.1.1.1/24MAC:1-1-1IP:1.1.1.3/24MAC:3-3-3AttackerDHCPClientDHCPServer在接口或VLAN上配置了IPSGSwitchIP地址包括IPv4地址和IPv6地址，即使能IPSG功能后，設(shè)備將對(duì)用戶IP報(bào)文的源IPv4地址和源IPv6地址都進(jìn)行檢查。IPSG功能只對(duì)IP類型的報(bào)文有效。對(duì)其他類型的報(bào)文，如PPPoE（Point-to-PointProtocoloverEthernet）報(bào)文無(wú)法生效。IPSG配置舉例HostAIP:10.0.0.1/24MAC:1-1-1HostB(Attacker)IP:10.0.0.2/24MAC:2-2-2SwitchServerGE1/0/1GE1/0/2組網(wǎng)需求：HostA與HostB分別與Switch的GE1/0/1和GE1/0/2接口相連。要求使HostB不能仿冒HostA的IP和MAC欺騙Server，保證HostA的IP報(bào)文能正常上送。IPSG配置舉例配置IP報(bào)文檢查功能：配置HostA為靜態(tài)綁定表項(xiàng)：interfacegigabitethernet1/0/1ipsourcecheckuser-bindenableipsourcecheckuser-bindalarmenableipsourcecheckuser-bindalarmthreshold200interfacegigabitethernet1/0/2ipsourcecheckuser-bindenableipsourcecheckuser-bindalarmenableipsourcecheckuser-bindalarmthreshold200user-bindstaticip-address10.0.0.1mac-address0001-0001-0001interfacegigabitethernet1/0/1IPSG配置舉例-驗(yàn)證配置結(jié)果在Switch上執(zhí)行displaydhcpstaticuser-bindall命令可以查看綁定表信息：從顯示信息可知，HostA已經(jīng)配置為靜態(tài)綁定表項(xiàng)。[Switch]displaydhcpstaticuser-bindall

DHCPstaticBind-table:Flags:O-outervlan,I-innervlan,P-Vlan-mappingIPAddressMACAddressVSI/VLAN(O/I/P)Interface---------------------------------------------------------------------------------------------10.0.0.10001-0001-0001--/--/--GE1/0/1--------------------------------------------------------------------------------------------Printcount:1Totalcount:1DHCPSnoopingARPSpoofingIPSGDAI端口安全ARP中間人攻擊

InternetRouterUserAUserBAttackerIP:10.1.1.1MAC:1-1-1IP:10.1.1.2MAC:2-2-2IP:10.1.1.3MAC:3-3-3Attacker向UserA發(fā)送偽造UserB的ARP報(bào)文Attacker向UserB發(fā)送偽造UserA的ARP報(bào)文IP地址MAC地址Type10.1.1.33-3-3DynamicIP地址MAC地址Type10.1.1.32-2-2DynamicIP地址MAC地址Type10.1.1.11-1-1DynamicIP地址MAC地址Type10.1.1.12-2-2DynamicUserA的ARP表項(xiàng)ARP表項(xiàng)更新為UserB的ARP表項(xiàng)ARP表項(xiàng)更新為動(dòng)態(tài)ARP檢測(cè)DAI（DynamicARPInspection）daienable命令用于使能動(dòng)態(tài)ARP檢測(cè)功能。InternetRouterUserAUserBAttackerIP:10.1.1.1MAC:1-1-1IP:10.1.1.2MAC:2-2-2IP:10.1.1.3MAC:3-3-3EnableDAI查找DHCP

Snooping

綁定表DHCPSnoopingARPSpoofingIPSGDAI端口安全端口安全端口安全（Port