DHCP Snooping

Jangchup Security,

DHCP Snooping:

DHCP Snooping is a layer 2 technique that ensures IP integrity on a layer 2 switched domains by stooping Rouge DHCP servers. How?

  1. By enabling DHCP snooping on Switches
  2. By enabling DHCP snooping on VLAN
  3. And by enabling DHCP snooping trusted ports

What is Rouge DHCP Server and how does it affect networks?

Rouge DHCP Server is an unauthorized destructive DHCP server that is planted intentionally to sniff, reroutes frames, causes man in the middle attacks (MITM), DOS attacks and DHCP starvation attacks (exhausting). But some time it also happens accidentally by plugging in DHCP sever enabled devices in the network, such as Internet modems and WIFI routers.

How does this happen?

DHCP is used to auto-configure the connection information for devices that do not have static IP assignments set.  Unless specifically configured to work together, multiple DHCP servers can cause clients and network devices to receive IP addresses, subnet masks, gateway IP addresses, and other information that can conflict with how the network should be working.  In case of accidental issue the clients after getting the IP addresses, subnet masks, gateway IP addresses is put into situation where the client has nowhere to go and cannot access the corporate network services. However, in case of malicious action it can cause lot more damages, such as DHCP Starvation (exhausting), DOS attach and MITM attacks. And the tricky part in these attacks is the clients have no clue of it. Hence, DHCP snooping is a layer 2 technique to mitigate such attacks.

How does DHCP snooping mitigate these threats and attacks?

 

The DHCP snooping feature performs the following activities:

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.
  • Rate-limits DHCP traffic from trusted and untrusted sources.
  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
  • Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

 

The default trust state of all interfaces/port is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Leave a comment