DHCP Snooping


The job of a DHCP server is to assign the IP addresses automatically to the hosts which request the IP address on the enterprise network.
But if an attacker connects a rogue DHCP server to your network and starts assigning an IP address to the hosts which request them, then there would be a problem as explained below.







The attacker connects a rogue DHCP server on your network.

When the client broadcasts a DHCP requests the rogue DHCP server accepts the request.

The rogue DHCP server responds before the legitimate DHCP server can respond assigning the attacker defined IP configuration information.

Host packets are redirected to the attacker address because it emulates the default gateway that is provided to the client.

The end result would be the network outage.

If you want to prevent this problem then you have to implement a mechanism in your network which identifies which DHCP packet s are legitimate and which are not.

DHCP Snooping is a security feature that can identify the legitimate DHCP packets and allow them to pass and drop the DHCP packets which are from the rogue DHCP server.

DHCP Snooping feature perform s the below activities.

1) Identifies DHCP messages received from a valid DHCP server and allows the. It also detects the rogue DHCP messages and blocks them.

2) Rate-limits DHCP traffic from different sources.

3)Creates and maintains the DHCP Snooping binding table, which contains information about untrusted hosts with leased IP addresses.


4) Utilizes the DHCP Snooping binding database to identify subsequent requests from untrusted hosts.

DHCP feature is enabled on a per-VLAN basis.

By default, the feature is inactive on all VLANs.You can enable the feature on a single VLAN or a range of VLANs.

DHCP Snooping feature defines a traffic source as trusted or untrusted.

Traffic attacks can occur from untrusted sources.
To avoid attacks from untrusted sources, the DHCP Snooping feature filters message s and Rate-limits traffic from untrusted sources.

In any company, the switches, router s and server s which the network administrator is aware can be treated as trusted sources.
The switch ports which connect to the user PCs switch ports that are open (not connected to any device) and unknown DHCP servers are categorized as untrusted sources.

A DHCP server that is connected to the company's network without the knowledge of the network administrator is a rogue DHCP server.
A rogue DHCP server can be any device like desktop, laptop, wireless access point, etc which on which DHCP server is installed.

In a switch by default, all the interface s are untrusted.
We can make a traffic source as trusted by configuring the switch interface to which it connects as trusted.


DHCP Snooping binding database.

The DHCP Snooping feature gets information from the DHCP messages and creates a table. This table includes entry for each untrusted host with a leased IP address, it's VLAN and DHCP Snooping enabled on VLAN or not.

The table does not include information on trusted interface s.
This table is updated whenever a DHCP message is received.