Today I will be discussing DHCP snooping. DHCP snooping is a layer 2 security feature used on switches that prevent rogue DHCP server attacks. It does this by filtering DHCP messages based on trusted/untrusted ports and building a binding table of legitimate IP to MAC to VLAN to switch port mappings.
DHCP Starvation- DHCP is an application layer protocol that is used to automatically provision IP addresses, default gateway IPs and DNS server IP addresses to clients on a network. Unfortunately bad actors have found ways to manipulate this process in order to perform attacks such as DHCP starvation, or DHCP poisoning which can then lead to “Man-In-The-Middle attacks.” A DHCP starvation is an attack that aims to exhaust the available IP addresses in a given DHCP server. An attacker executes a DHCP starvation attack by flooding the network with excessive DHCP Discover and Request messages/packets using spoofed/fake MAC address, which then leads to exhausting the DHCP server’s available IP address pool. Each request appears to come from a different client, so with enough requests the pool can be depleted, resulting in legitimate clients being unable to obtain an IP address which is an example of a DOS (Denial of Service) attack.
DHCP Poisoning- Another DHCP attack is called a DHCP Poisoning attack or a rogue DHCP server attack. A DHCP poisoning attack is when a malicious device on the network acts as an unauthorized DHCP server that responds to DHCP client requests with false network configuration information/settings. Instead of clients receiving configuration settings from a legitimate DHCP server, clients may be given incorrect IP addresses, default gateway IP address, or DNS server addresses from a fraudulent server.
False Configurations- A false default gateway address can be used to intercept network traffic for man in the middle attacks, and a false DNS server address can be used to redirect users to malicious or fake websites. One way to achieve a successful DHCP poisoning attack is by performing DHCP starvation before. DHCP starvation can be used as a precursor, where the attacks first exhaust the DHCP pool and then introduces a malicious DHCP server to provide false configurations.
DCHP snooping- DHCP snooping is an effective way to withstand these attacks. DHCP snooping divides the network between trusted and untrusted ports. Trusted ports are allowed to send DHCP server messages such as DHCPOFFER, ACK, NACK, while untrusted ports are only allowed to send DHCP client messages such as DHCP Discover, Requests, or Release. Any DHCP server messages received on an untrusted port are immediately dropped.
Trusted/Untrusted Ports- In a typical DHCP set up, uplinks are configured as trusted and downlinks are configured as untrusted. Downlinks are usually configured as untrusted because they are connected to end devices that could send rogue DHCP messages. Uplinks are configured as trusted because they are usually connected to legitimate DHCP servers or higher network infrastructure that are verified as legitimate.
Verifications- Before any DHCP message can even get to the DHCP server such as Discover messages, the switch performs a validation against the ethernet frame. The switch will compare the ethernet frames “source MAC” address with the DHCP payloads “CHADDR (Client Hardware Address) field.” If it matches the message will be forwarded, if it does not match the frame will be dropped.
DHCP Snooping Binding Table- DHCP snooping also builds a database called the “DHCP snooping binding table.” The DHCP snooping binding table database is a table maintained by the switch that records the IP address, MAC address, VLAN, lease duration, and switchport of clients that obtained an IP address from a legitimate DHCP server. This allows DHCP to validate DHCP traffic such as release messages. When a release DHCP message is received, switch verifies that the packet is received on the same switch port (interface) where the IP address was originally learned and recorded in the DHCP snooping binding table. So if I obtained an IP address at Gig0/1 and moved to Gig0/2, if I tried to send a release packet I would be denied. This DHCP snooping table can be used to support other security features such as DAI (Dynamic ARP Inspection.)
Rate Limiting- DHCP snooping also has a security mechanism called “rate limiting.” DHCP snooping rate limiting is a feature that restricts the number of DHCP messages allowed per second on a switch port. It is measured in messages per second, and if violated will result in the port being placed into an err-disabled state. This is extremely useful for DHCP starvation attacks or other DOS attacks where traffic is flooded.
Leave a Reply