DHCP Snooping

What Is DHCP Snooping?

DHCP (Dynamic Host Configuration Protocol) snooping is a security feature that validates DHCP messages in a network. It allows only authorized DHCP servers to assign IP addresses to clients, while also maintaining a record of IP-MAC address mappings. By doing so, it thwarts potential DHCP-based attacks, safeguarding the network against unauthorized access and ensuring its integrity.

Why Do We Need DHCP Snooping?

DHCP, as defined in RFC 2131, is vulnerable to various attacks, including bogus DHCP server attacks, DHCP server Denial-of-Service (DoS) attacks, and bogus DHCP message attacks. DHCP snooping acts as a protective barrier, serving as a firewall between DHCP clients and the DHCP server. Its primary purpose is to thwart DHCP attacks on the network, enhancing the security of communication services.

How DHCP Snooping Works?

DHCP Snooping serves as a safeguard against potential threats posed by DHCP-based attacks, ensuring the integrity and security of network communication services. By understanding the operation of DHCP, which dynamically assigns IP addresses to network devices, one can grasp how DHCP Snooping operates.

In DHCP, a device without an IP address engages in a series of interactions with a DHCP server across four stages. These stages involve a request for an IP address, allocation by the server, confirmation of assignment, and acknowledgment of receipt.

DHCP Snooping categorizes switch interfaces into two groups: trusted and untrusted ports. Trusted ports are those through which DHCP server messages are deemed trustworthy, while untrusted ports are not. When DHCP Snooping is active, only trusted ports are permitted to send DHCP offer messages; otherwise, such messages are discarded.

During the acknowledgment stage, DHCP Snooping constructs a DHCP binding table based on the information contained in DHCP ACK messages. This table records details such as the host's MAC address, the leased IP address, duration of the lease, binding type, VLAN number, and associated interface. Subsequent DHCP packets received from untrusted hosts are scrutinized against this information; if they fail to match, they are rejected.

In essence, DHCP Snooping acts as a barrier, ensuring that DHCP-related messages are only allowed to flow through trusted ports and maintaining the accuracy and security of DHCP bindings through careful verification of incoming traffic.

What Are Application Scenarios of DHCP Snooping?

Defending Against Bogus DHCP Server Attacks:

Mechanism:

The absence of authentication mechanisms between DHCP servers and clients makes networks susceptible to bogus DHCP server attacks. Unauthorized DHCP servers can provide incorrect IP addresses and compromise network security.

Solution:

To counteract bogus DHCP server attacks, configure trusted and untrusted interfaces on the device. Designate the interface connected directly or indirectly to the authorized DHCP server as trusted, preventing the device from accepting DHCP Reply messages on untrusted interfaces.

Defending Against Attacks from Non-DHCP Users:

Mechanism:

Non-DHCP users with static IP addresses may initiate attacks, posing security risks. These attacks can be mitigated by generating static MAC address entries based on the DHCP snooping binding table.

Solution:

Enable the device to generate static MAC address entries and disable dynamic MAC address learning on the interface. Only messages with MAC addresses matching static entries are allowed, preventing attacks from non-DHCP users.

Defending Against DHCP Flood Attacks:

Mechanism:

DHCP flood attacks involve overwhelming the device with a large number of DHCP messages, degrading performance. DHCP snooping can help prevent such attacks by limiting the rate of incoming DHCP messages.

Solution:

Enable DHCP snooping and set rate limits to control the number of DHCP messages processed by the device. Messages exceeding the defined rate are discarded, safeguarding the device's performance.

Defending Against Bogus DHCP Message Attacks:

Mechanism:

Bogus DHCP message attacks involve unauthorized DHCP clients sending invalid Request or Release messages. DHCP snooping uses a binding table to validate these messages against authorized entries.

Solution:

Utilize the DHCP snooping binding table to validate DHCP Request and Release messages. Messages are checked for VLAN IDs, IP addresses, MAC addresses, and interface IDs against binding entries, ensuring the legitimacy of messages.

Defending Against DHCP Server DoS Attacks:

Mechanism:

DHCP server Denial-of-Service (DoS) attacks aim to exhaust the IP address pool by flooding the server with requests. DHCP snooping, combined with limitations on the number of access DHCP clients, helps prevent such attacks.

Solution:

Enable DHCP snooping and set the maximum number of allowed access DHCP clients on the device or interface. This restricts the number of clients that can obtain an IP address, preventing exhaustion of the address pool.

Detecting Client Locations Through an LDRA:

Mechanism:

Location Data-Related Actions (LDRA) enable devices to record client locations and forward this information to DHCPv6 servers for better IP address allocation and policy enforcement.

Solution:

By enabling DHCP snooping and LDRA on the switch, the device captures client location information and communicates it to the DHCPv6 server. This enables the server to assign IP addresses and apply policies based on client locations, enhancing network management.

Common Attacks Prevented by DHCP Snooping

DHCP Spoofing Attack

DHCP spoofing occurs when an attacker responds to DHCP requests, masquerading as a legitimate DHCP server. By doing so, the attacker can trick clients into accepting incorrect IP configurations, such as fake default gateways or DNS servers. This opens the door for man-in-the-middle attacks, allowing the attacker to intercept and manipulate network traffic. Additionally, the attacker can overwhelm the legitimate DHCP server by flooding it with requests, leading to denial of service for legitimate users.

DHCP Starvation Attack

A DHCP starvation attack targets DHCP servers by flooding them with a large number of DHCP REQUEST messages, each with spoofed source MAC addresses. The DHCP server, unaware that these requests are malicious, responds to each one by assigning an available IP address. Consequently, the DHCP server's address pool becomes depleted, leaving no addresses for legitimate clients to obtain. This effectively disrupts network connectivity for legitimate users and can cause network downtime.