DHCP Snooping is a switch only feature. It means DHCP snooping only works on switches. It does not work on other devices such as routers and servers. Typically all switches, whether it is a layer 2 switch or a multilayer switch, support DHCP snooping.
DHCP snooping works on a per-VLAN basis. It means, you can enable and configure DHCP snooping on your desired VLANs. For example, if you configure DHCP snooping on VLAN-2, then it will work only on the ports that belong to VLAN-2. By default, DHCP snooping is disabled on all VLANs.
How DHCP snooping works
DHCP snooping acts like a firewall. It inspects all incoming messages on the port. If an incoming message is not related to DHCP, the DHCP snooping lets it in. If an incoming message is related to DHCP, the DHCP snooping uses its logic. Based on its configuration, DHCP snooping either let the message in or discard the message.
The following image shows how DHCP snooping works.
The man-in-middle attack on DHCP server
In such an attack, an attacker configures a replicated DHCP server on his device and connects that device to the local network. When a DHCP client sends a local broadcast message to obtain an IP configuration, the attacker's device receives this message and lease a modified IP configuration to the client.
The modified IP configuration contains all addresses the same except the gateway IP address. This configuration contains the gateway IP address of the attacker's device instead of the original gateway. When the client uses this modified configuration, all packets sent by the client to the default gateway reach the attacker device. The attacker device reroutes them to the original gateway.
Since all packets sent by the client reach the default gateway through the attacker device, the attacker can make a copy of all packets or can steal the sensitive information from the packets. This attack is known as the man-in-middle attack on the DHCP server.
Let's take a simple example to understand how it works.
The following image shows an example network. In this network, the client receives an IP configuration from the DHCP server and uses the received IP configuration to connect to the remote network.
The following image shows the same example network. But this time, the client receives IP configuration from the attacker's DHCP server.
The following image shows how data flows between the client and the default gateway after a man-in-middle attack.
How does DHCP snooping protect the network from the man-in-middle attack?
DHCP uses four different types of messages: Discover, Offer, Request, and ACK. From these messages, DHCP clients use Discover and Request messages while DHCP servers use Offer and ACK messages.
Since a DHCP client never uses the Offer and ACK messages, DHCP snooping can be configured to filter these messages on ports that are connected to DHCP clients. This configuration will mitigate the threat of the man-in-middle attack on DHCP servers.
To understand it in more detail, let's take our example back.
In our example, the DHCP server is connected to the port Fa0/11. So we will configure DHCP snooping to allow Offer/ACK messages only on port Fa0/11.
Once DHCP snooping is configured, the switch will accept Offer/ACK messages only on the ports that are configured as the allowed (trusted) ports. If it receives Offer/ACK messages on the ports that are not configured as the allowed ports, it immediately discards those messages.
The following image shows how DHCP snooping protects our example network from the man-in-middle attack.
In this example, when the attacker tries to lease an IP configuration to the client, the switch blocks the attacker's offer. After this configuration, the client receives IP configuration only from the authenticated DHCP server.
This tutorial is the ninth part of the article 'DHCP (Dynamic Host Configuration Protocol) basic concepts, configurations, functions, and options Explained'. Other parts of this tutorial are the following.
What DHCP is and Types of DHCP Explained
How DHCP works explained with examples
DHCP Configuration Parameters and Settings Explained
How to Configure DHCP Server on Cisco Switches
Configure DHCP Server for multiple VLANs on the Switch
How to Configure DHCP Server on Cisco Routers
How DHCP Relay Agents work Explained
How to Configure DHCP Relay Agent on Cisco Routers
Configure DHCP Snooping on Cisco Switches
DHCP snooping trusted and untrusted ports
In DHCP snooping configuration, a trusted port is a port that can accept all four types of messages and an untrusted port is a port that can accept only two types of messages: the Discover and Request.
On untrusted ports DHCP snooping does not accept the messages that a DHCP server needs to provide IP configuration to clients. These messages are the Offer and ACK. In simple words, until a DHCP server can send these messages to the client, it can't lease the IP configuration to the client.
Since on untrusted ports DHCP snooping does not allow the messages that the DHCP server requires to function, a DHCP server connected on an untrusted port can't lease IP configuration to clients.
The following image shows how DHCP snooping blocks and allows DHCP messages.
DHCP binding table
DHCP binding table is the next level of security that the DHCP snooping provides. DHCP snooping maintains a record of all offered/leased IP addresses in the DHCP binding table. DHCP snooping uses this record to block DoS attacks.
Let's understand how a DoS attack works and how DHCP snooping uses the DHCP binding table to block this attack.
When a client broadcasts a DHCP Discovery message, the client also includes its MAC address in the message. The DHCP server uses the client's MAC address to provide the IP configuration to the client.
Since a client uses a local broadcast address to send the DHCP Discovery message, if an attacker's device is connected to the local network, it also receives the broadcast message. From the broadcast message, it learns the client MAC address and uses it to make fake DHCP requests.
The following image shows a DHCP snooping enabled network. In this network, the client sends a local DHCP Discovery broadcast message. Both original and fake DHCP servers offer IP configuration to the client. DHCP snooping filters and blocks the fake DHCP server's offer and allows the offer of the original DHCP server. The client receives IP configuration only from the genuine DHCP server.
The attacker device fails to provide IP configuration to the client but it knows the MAC address of the client. So it uses the client's MAC address to generate a lot of fake DHCP requests.
Since DHCP snooping does not block Discovery/Request messages, all these messages reach the genuine DHCP server and the DHCP server provides an IP configuration for each request. The following image shows this process.
Soon the attacker leases all IP addresses from the DHCP server, leaving no IP addresses for the actual clients. Once all IP addresses are leased, the DHCP server can't provide IP addresses to the clients that are configured to obtain their IP addresses from the DHCP server. Since clients can't receive IP addresses from the DHCP server, they lose connectivity from the network.
This attack is known as the DoS attack on the DHCP server. To minimize this attack, DHCP snooping keeps a record of each successful assignment in the DHCP binding table. When it receives a Discovery/Request message on an untrusted port, it reads the MAC address of the message and finds that address in the DHCP binding table. If it finds an entry in the DHCP binding table, it discards the message.
The following image shows how it works.
That's all for this tutorial. In the next part of this tutorial, we will understand how to configure DHCP snooping on Cisco switches through a packet tracer example.
