Combating DHCP Server Spoofing

On today’s networks, most clients obtain their IP address information dynamically, using Dynamic Host Configuration Protocol (DHCP), rather than having their IP address information statically configured. To dynamically obtain IP address information, a client (for example, a PC) sends out a DHCP request. A DHCP server sees the request, and a DHCP response (including such information as an IP address, subnet mask, and default gateway) is sent to the requesting client.

However, if an attacker connects a rogue DHCP server to the network, the rogue DHCP server can respond to a client’s DHCP request. Even though both the rogue DHCP server and the actual DHCP server respond to the request, the client uses the rogue DHCP server’s response if it reaches the client before the response from the actual DHCP server.

This is shown in Figure below:

The DHCP response from an attacker’s DHCP server might assign the attacker’s IP address as the client’s default gateway or DNS server. As a result, the client could be influenced to send traffic to the attacker’s IP address. The attacker can then capture the traffic and forward the traffic to an appropriate default gateway. Because, from the client’s perspective, everything is functioning correctly, this type of DHCP server spoofing attack can go undetected for a long period of time.

The DHCP snooping feature on Cisco Catalyst switches can be used to combat a DHCP server spoofing attack. With this solution, Cisco Catalyst switch ports are configured in either the trusted or untrusted state. If a port is trusted, it is allowed to receive DHCP responses (for example, DHCPOFFER, DHCPACK, or DHCPNAK).

Conversely, if a port is untrusted, it is not allowed to receive DHCP responses, and if a DHCP response attempts to enter an untrusted port, the port is disabled.

Fortunately, not every switch port needs to be configured to support DHCP snooping. If a port is not explicitly configured as a trusted port, it is implicitly considered to be an untrusted port. To configure DHCP snooping, the feature must first be enabled. Use the following command to globally enable DHCP snooping:

SW3550(config)# ip dhcp snooping

You can also enable DHCP snooping for specific VLANs. For example, to enable DHCP snooping for VLANS 1 and 100, in addition to VLANs in the range of 200 to 210, use the following global configuration mode command:

SW3550(config)# ip dhcp snooping vlan 1,100,200-210

After you enable the DHCP snooping feature, specific switch interfaces can be configured as trusted ports, as the following syntax demonstrates:

SW3550(config)# interface gigabitethernet 0/4
SW3550(config-if)# ip dhcp snooping trust

Another type of DHCP attack is more of a DoS attack against the DHCP server. Specifically, the attacker can repeatedly request IP address assignments from the DHCP server, thus depleting the pool of addresses available from the DHCP server.

The attacker can accomplish this by making the DHCP requests appear to come from different MAC
addresses. To mitigate such a denial-of-service (DoS) attack, the previously mentioned DHCP snooping feature can be used to limit the number of DHCP messages per second that are allowed on an interface, thus preventing a flood of  spoofed DHCP requests.

For example, to limit the number of DHCP messages on a port to three messages per second,
use the following syntax:

SW3550(config)# interface gigabitethernet 0/5
SW3550(config-if)# ip dhcp snooping limit rate 3



See Also:
How a DHCP Works





biOos