Get best of the week

What is DHCP Snooping and how does it work?

β€œWhy can't I connect to the network, even if my laptop received an IP address dynamically?” Have you encountered this problem in everyday life? Have you doubted the authenticity of the IP addresses? Are they received from an authorized DHCP server? If not, how to prevent this? The term DHCP Snooping will be introduced in this article to help users avoid using illegal IP addresses.

What is DHCP Snooping?


DHCP Snooping is a Layer 2 security technology built into the operating system of a healthy network switch that discards DHCP traffic that is considered inappropriate. DHCP Snooping prevents unauthorized (fraudulent) DHCP servers offering IP addresses to DHCP clients. The DHCP Snooping function performs the following actions:

  • Checks DHCP messages from untrusted sources and filters out invalid messages.
  • Creates and maintains a DHCP Snooping binding database that contains information about untrusted hosts with leased IP addresses.
  • Uses the DHCP Snooping binding database to verify subsequent requests from untrusted hosts.

How does DHCP snooping work?


To find out how DHCP Snooping works, we need to catch the working DHCP mechanism, which stands for Dynamic Host Configuration Protocol. When DHCP is enabled, a network device without an IP address will β€œinteract” with the DHCP server through 4 stages as follows.

DHCP Principle.jpg

DHCP Snooping typically classifies the interfaces on the switch into two categories: trusted untrusted ports, as shown in Figure 2. A trusted port is a port or source whose DHCP server messages are trusted. An untrusted port is the port from which DHCP server messages are not trusted. If DHCP snooping is triggered, a DHCP offer message can only be sent through the trusted port. Otherwise, it will be discarded.

DHCP Snooping app.jpg

At the confirmation stage, a DHCP binding table will be created according to the DHCP ACK message. It records the host MAC address, leased IP address, lease time, type of binding, as well as the VLAN number and interface information associated with the host, as shown in Figure 3. If the subsequent DHCP packet received from the untrusted host does not match information, it will be deleted.
MAC AddressIP AddressRent (sec)A typeVLANInterface
Entry 1e4-54-e8-9d-ab-4210.32.96.192673dhcp-snooping10Eth 1/23
Entry 2
Entry 3
...

Basic Types of Attacks Prevented by DHCP Snooping


DHCP Spoofing Attack


DHCP spoofing occurs when an attacker tries to respond to DHCP requests and tries to specify himself (spoof) as the default gateway or DNS server, therefore, initiating an attack through an intermediary. At the same time, it is possible that they can intercept traffic from users before forwarding to a real gateway or perform DoS, filling the real DHCP server with requests for clogging IP address resources.

DHCP Starvation (DHCP exhaustion)


DHCP resource depletion typically targets network DHCP servers to populate an authorized DHCP server with DHCP REQUEST messages using fake source MAC addresses. The DHCP server will respond to all requests, not knowing that it is a DHCP depletion attack by assigning available IP addresses, which will lead to the depletion of the DHCP pool.

How to enable DHCP snooping?


DHCP Snooping is applicable only to wired users. As an access-level security feature, it is mainly enabled on any switch containing VLAN access ports served by DHCP. When deploying DHCP Snooping, you must configure trusted ports (the ports through which valid DHCP server messages will pass) before enabling DHCP Snooping in the VLAN that you want to protect. This can be implemented both in the CLI interface and in the web interface.

Conclusion


Although DHCP simplifies IP addressing, it also causes security issues. To fix the problems, DHCP Snooping, one of the protection mechanisms, can prevent the use of untrusted DHCP addresses from a fraudulent DHCP server and can prevent a resource exhaustion attack that attempts to use all existing DHCP addresses.

More articles:


All Articles