DHCP Snooping – Theory and Lab
DHCP spoofing and starvation attacks are methods used by intruders to exhaust the DHCP address pool on the DHCP sever, resulting in resource starvation where there are no DHCP addresses available to be assigned to legitimate users.
Learn about DHCP in our Cisco CCNA video training course or read our 101 Labs – Cisco CCNA workbook.
DHCP is used to dynamically assign hosts with IP addresses. A DHCP server can be configured to provide DHCP clients with a great deal of information, such as DNS servers, NTP servers, WINS information, and default gateway (router) information. DHCP uses UDP port 68. Cisco IOS routers and some switches can be configured as both DHCP clients and DHCP servers.
When using DHCP on a network, the DHCP client sends a DHCPDISCOVER message to locate a DHCP server. This is a Layer 2 broadcast because the client has no Layer 3 address, and so the message is directed to the Layer 2 broadcast address FFFF:FFFF:FFFF. If the DHCP server is on the same Layer 2 broadcast domain as the DHCP client, no explicit configuration is needed from a network configuration standpoint.
Upon receiving the DHCPDISCOVER message, the DHCP server offers network configuration settings to the client via the DHCPOFFER message. This is sent only to the requesting client.
The client then sends a DHCPREQUEST Broadcast message so that any other servers that had responded to its initial DHCPDISCOVER message, after the first issuing DHCP server, can reclaim the IP addresses they had offered to that client. Finally, the issuing DHCP server then confirms that the IP address has been allocated to the client by issuing a DHCPACK message to the requesting client. Figure 1 below illustrates the DHCP exchange between a client and a server:
Fig. 1. The DHCP Client and Server Packet Exchange
DHCP starvation attacks work with MAC address spoofing by flooding a large number of DHCP requests with randomly generated spoofed MAC addresses to the target DHCP server, thereby exhausting the address space available for a period of time. This prevents legitimate DHCP clients from being serviced by the DHCP server.
Once the legitimate DHCP server has been successfully flooded and can no longer service the legitimate clients, the attacker introduces a rogue DHCP server, which then responds to the DHCP requests of legitimate clients with the intent of providing incorrect configuration information to the clients, such as default gateways and WINS or DNS servers. This forged information then allows the attacker to perform other types of attacks. Tools such as MACOF and GOBBLER can be used by attackers to perform starvation attacks.
There are several techniques that can be used to prevent such attacks from occurring. The first is port security, which can be used to limit the number of MAC addresses on a switch port and thus mitigate DHCP spoofing and starvation attacks. The second method is VLAN ACLs (VACLs), which are ACLs that are applied to entire VLANs and are used to control host communication within VLANs. VACLs are described later in this chapter. The third method, which is also the most recommended method, is to enable the DHCP snooping feature.
DHCP Snooping Overview
DHCP snooping provides network protection from rogue DHCP servers by creating a logical firewall between untrusted hosts and DHCP servers. When DHCP snooping is enabled, the switch builds and maintains a DHCP snooping table, which is also referred to as the DHCP binding table, and it is used to prevent and filter untrusted messages from the network.
DHCP snooping uses the concept of trusted and untrusted interfaces. This means that incoming packets received on untrusted ports are dropped if the source MAC address of those packets does not match the MAC address in the binding table. Figure 2 below illustrates the operation of the DHCP snooping feature:
Fig. 2. DHCP Snooping Operation
As can be seen in Figure 2, an attacker attempts to inject false DHCP responses into the exchange of DHCP messages between the legitimate DHCP client and server. However, because DHCP snooping is enabled on the switch, these packets are dropped because they are originating from an untrusted interface and the source MAC address does not match the MAC address in the binding table.
The exchange between the legitimate client that is on an untrusted interface and the DHCP server is permitted because the source address does match the MAC address in the binding table entry. Figure 3 below illustrates the use of the DHCP snooping table, which is used to filter untrusted DHCP messages from the network:
Fig. 3. The DHCP Snooping (Binding) Table
In Figure 3, packets sourced from trusted ports are not subject to DHCP snooping checks. Trusted interfaces for DHCP snooping would be configured for ports directly connected to DHCP servers. However, all packets from untrusted interfaces are checked against the entries in the DHCP snooping table.
This means that if an attacker attempts to use randomly generated MAC addresses to initiate a DHCP snooping and starvation attack, all packets will be checked against the DHCP snooping table, and because there will be no matches for those specific MAC addresses, all packets will be discarded by the switch, effectively preventing this type of attack from occurring.
Configuring DHCP Snooping
Configuring basic DHCP snooping involves three basic steps, as follows:
- Globally enabling DHCP snooping on the switch by issuing the ip dhcp snooping global configuration command;
- Enabling DHCP snooping for a VLAN or range of VLANs by issuing the ip dhcp snooping vlan [vlan-number|vlan-range] global configuration command; and
- Configuring trusted interfaces for DHCP snooping by issuing the ip dhcp snooping trust interface configuration command. It is extremely important to remember that in order for DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces. All untrusted DHCP messages (i.e. messages from untrusted ports) will be forwarded only to trusted interfaces.
Optionally, network administrators can configure the switch to support the DHCP Relay Agent Information Option, which is DHCP Option 82, by issuing the ip dhcp snooping information option global configuration command when configuring DHCP snooping on the switch.
Once DHCP snooping has been enabled, administrators can use the show ip dhcp snooping configuration to validate their configuration. The following output shows how to configure DHCP snooping for VLAN 100 and also how to enable DHCP Option 82 insertion. Interface GigabitEthernet2/24 is connected to a DHCP server and is configured as a trusted interface:
|VTP-Server-1(config)#ip dhcp snooping
VTP-Server-1(config)#ip dhcp snooping vlan 100
VTP-Server-1(config)#ip dhcp snooping information option
VTP-Server-1(config)#int gi 2/24
VTP-Server-1(config-if)#description ‘Connected to Legitimate DHCP Server’
VTP-Server-1(config-if)#ip dhcp snooping trust
Cisco IOS software allows you to rate-limit, or specify, the number of DHCP messages an untrusted interface can receive per second via the ip dhcp snooping limit rate [rate] interface configuration command. The specified rate can be anywhere between 1 and 2048 DHCP packets per second. By default, this feature is disabled and there is no rate-limiting of DHCP packets on any interfaces when DHCP snooping is enabled. The following output demonstrates how to set a message rate limit of 150 messages per second on an untrusted interface connected to a host:
|VTP-Server-1(config)#int gi 5/45
VTP-Server-1(config-if)#description ‘Connected to Network Host’
VTP-Server-1(config-if)#ip dhcp snooping limit rate 150
Verifying DHCP Snooping
Once DHCP snooping has been enabled, the show ip dhcp snooping command can be used to validate DHCP snooping configuration, as illustrated in the following output:
|VTP-Server-1#show ip dhcp snooping
Switch DHCP snooping is enabled.
DHCP Snooping is configured on the following VLANs:
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
——— ——- —————-
GigabitEthernet2/24 yes none
You can also use the show ip dhcp snooping binding command to view DHCP snooping binding entries that correspond to untrusted ports. This is illustrated in the following output:
|VTP-Server-1#show ip dhcp snooping binding
MacAddress IP Address Lease (seconds) Type VLAN Interface
———– ———– —————- —– —–
0021.8642.0b01 10.1.1.254 1600 dynamic 100 GigabitEthernet5/1