DHCP Snooping ve Port Güvenliği Kullanılarak MITM Saldırılarına Karşı Switch Güvenliğinin İyileştirilmesi

Abstract

Bu çalışma, Dinamik Ana Bilgisayar Yapılandırma Protokolü (DHCP) üzerindeki güvenlik açıklarını incelemekte ve saldırganların güvenilir portları kötüye kullanması durumunda DHCP Snooping tekniğinin sınırlılıklarına odaklanmaktadır. DHCP sahtekarlığı (spoofing) saldırılarını tespit ve engellemek amacıyla, DHCP Snooping ile Port Security’nin entegre edildiği geliştirilmiş bir yöntem önerilmektedir. Yazılım Tanımlı Ağ (SDN) veya makine öğrenmesi tabanlı çözümler ileri düzey altyapı gerektirirken, önerilen yöntem hafif, düşük maliyetli ve işletme ile eğitim ağlarında yaygın olarak kullanılan geleneksel Katman 2 anahtarlarında uygulanabilir niteliktedir. DHCP Snooping, anahtar portlarını güvenilir veya güvenilir olmayan olarak sınıflandıracak şekilde yapılandırılmış, Port Security ise MAC adresi doğrulamasına dayalı erişim kısıtlaması getirmiştir. Bu entegrasyon, özellikle geleneksel DHCP Snooping’in yetersiz kaldığı güvenilir portlar üzerinden gerçekleştirilen saldırıları etkili bir şekilde engellemiştir. Simülasyon sonuçları, DHCP Snooping ile Port Security’nin birlikte kullanımının, port düzeyinde MAC tabanlı kimlik doğrulama sağlayarak ağ güvenliğini önemli ölçüde güçlendirdiğini göstermektedir. Yöntem, yalnızca yetkili DHCP sunucularının istemci taleplerine yanıt vermesini garanti etmekte, güvenilir portların istismarını önlemekte ve ağ performansında herhangi bir düşüşe yol açmamaktadır. Bulgular, ek donanım veya karmaşık algılama sistemlerine gerek duymadan ağ bütünlüğünü artırmada yöntemin etkinliğini ve uygulanabilirliğini ortaya koymaktadır.

Keywords

• MITM; DHCP Snooping
• Port Güvenliği
• DHCP Spoofing
• Ağ Güvenliği

Improving Switch Security Against MITM Attacks Using DHCP Snooping and Port Security

Abstract

This study investigates security vulnerabilities in the Dynamic Host Configuration Protocol (DHCP), focusing on the limitations of DHCP Snooping when attackers exploit trusted ports. We propose an enhanced detection and prevention mechanism that integrates DHCP Snooping with Port Security to counter DHCP spoofing attacks. Unlike approaches based on Software-Defined Networking (SDN) or machine learning which require advanced infrastructure our method is lightweight, cost-effective, and deployable on conventional Layer 2 switches commonly used in enterprise and educational networks. DHCP Snooping was configured to classify switch ports as trusted or untrusted, while Port Security restricted access through MAC address verification. This integration effectively mitigated DHCP spoofing attempts, including those launched through trusted ports, where traditional DHCP Snooping alone is insufficient. Simulation results show that combining DHCP Snooping with Port Security significantly strengthens network security by enforcing MAC-based authentication at the switch port level. The method ensures that only legitimate DHCP servers can respond to client requests, prevents the exploitation of trusted ports, and maintains network performance without introducing instability. The findings demonstrate the practicality and effectiveness of the proposed approach in enhancing network integrity without additional hardware or complex detection systems.

Keywords

• MITM
• DHCP Snooping
• Port Security
• DHCP Spoofing
• Network Security

References

1. Adesemowo, A. K., & Gerber, M. (2014). E-skilling on fundamental ICT networking concepts–Overcoming the resource constraints at a South African university. Proceedings of e-Skills Knowledge Production and Innovation Conference, 1–16.
2. Adjei, H. A., Shunhua, M. T., Agordzo, G. K., Li, Y., Peprah, G., & Gyarteng, E. S. (2021). SSL stripping technique (DHCP snooping and ARP spoofing inspection). 2021 23rd International Conference on Advanced Communication Technology (ICACT), 187–193.
3. Ahmad, Z., Khan, A. S., Shiang, C. W., Abdullah, J., & Ahmad, F. (2021). Network intrusion detection system: A systematic study of machine learning and deep learning approaches. Transactions on Emerging Telecommunications Technologies, 32(1), e4150.
4. Alsaadi, R. R., & Abdul-Zahra, D. S. (2021). Security DHCP server on LAN network. Turkish Journal of Physiotherapy and Rehabilitation, 32, 3.
5. Ali, S. M., & Shareef, A. A. (2021). Designing a secure network solution against DHCP attacks. Iraqi Journal of Information & Communication Technology, 1(1), 45–57.
6. Aldaoud, M., Al-Abri, D., Al Maashri, A., & Kausar, F. (2021). DHCP attacking tools: An analysis. Journal of Computer Virology and Hacking Techniques, 17, 119–129.
7. Aldaoud, M., Al-Abri, D., Al Maashri, A., & Kausar, F. (2023). Detecting and mitigating DHCP attacks in OpenFlow-based SDN networks: A comprehensive approach. Journal of Computer Virology and Hacking Techniques, 19(4), 597–614.
8. Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. Z. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77(3), 2383–2415.

9. Bhushan, B., Sahoo, G., & Rai, A. K. (2017). Man-in-the-middle attack in wireless and computer networking—A review. 2017 3rd International Conference on Advanced Computing, Communication and Automation (ICACCA) (Fall), 1–6.
10. Buhr, A., Lindskog, D., Zavarsky, P., & Ruhl, R. (2011). Media access control address spoofing attacks against port security. Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT 11).
11. Cisco Systems. (2007a). Configuring port-based traffic control. Catalyst 3550 Multilayer Switch Software Configuration Guide. Cisco Systems.
12. Cisco Systems. (2007b). Cisco Catalyst 3750 series switches: Layer 2 security features on Cisco Catalyst layer 3 fixed configuration switches configuration. Cisco Systems.
13. Droms, R. (1997a). RFC2131: Dynamic host configuration protocol.
14. Droms, R. (1997b). Dynamic host configuration protocol. Network Working Group, Internet Requests for Comments. RFC Editor.
15. Kalkancı, G., Ahmet, E. F. E., D. O. N. K., Cihangir, S., & Uysal, Z. A. (2019). A hidden hazard: Man-in-the-middle attack in networks. Computer Science, 4(2), 96–116.
16. Madakam, S., Ramaswamy, R., & Tripathi, S. (2015). Internet of Things (IoT): A literature review. Journal of Computer and Communications, 3(5), 164–173.
17. Mehran, U. E. T. (2022). Detection of server-side DHCP DoS and spoofing attack using machine learning techniques. 3rd International Conference on Computer Science and Technology.
18. Miftah, Z. (2018). Simulasi keamanan jaringan dengan metode DHCP snooping dan VLAN. Faktor Exacta, 11(2), 167.
19. Pradana, D. A., & Budiman, A. S. (2021). The DHCP snooping and DHCP alert method in securing DHCP server from DHCP rogue attack. International Journal of Informatics Development (IJID), 10(1), 38–46.
20. Purnomo, A. (2024). Implementation of DHCP snooping method to improve security on computer networks. bit-Tech, 6(3).
21. Roshani, M., & Nobakht, M. (2022). Hybriddad: Detecting DDoS flooding attack using machine learning with programmable switches. Proceedings of the 17th International Conference on Availability, Reliability and Security, 1–11.
22. Sandhya, M. (2023). Empirical investigations on the security and threat mitigation of campus switches. 2023 International Conference on Computer Communication and Informatics (ICCCI), 1–8.
23. Shrestha, P., & Sherpa, T. D. (2023). Dynamic host configuration protocol attacks and its detection using Python scripts. 2023 International Conference on Artificial Intelligence, Knowledge Discovery and Concurrent Engineering (ICECONF), 1–5.
24. Syed, N. F., Baig, Z., Ibrahim, A., & Valli, C. (2020). Denial of service attack detection through machine learning for the IoT. Journal of Information and Telecommunication, 4(4), 482–503.
25. Syed, S., Khuhawar, F., Talpur, S., Memon, A. A., Luque-Nieto, M. A., & Narejo, S. (2022). Analysis of dynamic host control protocol implementation to assess DoS attacks. 2022 Global Conference on Wireless and Optical Technologies (GCWOT), 1–7.
26. Tok, M. S., & Demirci, M. (2021). Security analysis of SDN controller-based DHCP services and attack mitigation with DHCPguard. Computers & Security, 109, 102394.
27. Tripathi, N., & Hubballi, N. (2018). Detecting stealth DHCP starvation attack using machine learning approach. Journal of Computer Virology and Hacking Techniques, 14, 233–244.
28. Yan, A., Jing, S., Qi, Q., & Xiao, B. (2016). A study on campus network access and export management. Proceedings of the 2nd Workshop on Advanced Research Technology in Industry Applications (WARTIA-16), 1812–1816.