Prevent DHCP Server Spoofing by using DHCP snooping

Function of DHCP

On our networks all the different clients will usually obtain their IP address information automatically, using DHCP – Dynamic Host Configuration Protocol. This is faster and more precise than having their IP address information statically configured by manually entering the IP address, subnet mast and Default gateway into PC.

DHCP Attack

DHCP spoofing - All data going accross Attacker PCTo dynamically obtain IP address information, a client makes a DHCP request. A DHCP server sends back a DHCP response in which includes information as an IP address, subnet mask, and default gateway. If an attacker puts and false DHCP server in our LAN network, the rogue DHCP server can respond to a client’s DHCP request. Even if the rogue DHCP server and the actual DHCP server both respond to the request of our PC, the PC will use the rogue DHCP server’s response if it reaches the PC faster than actual DHCP server.

More about DHCP and about DHCP attack here. Let’s se the mechanisms to mitigate the attacks or prevent them fully:

 

DHCP snooping

The DHCP snooping feature on Cisco and Juniper switches can be used to mitigate a DHCP server spoofing attack. With this mechanism switch ports are configured in two different state, the trusted and untrusted state. If a port is configured to be trusted, it can receive DHCP responses. In other way, if a port is untrusted, it is not allowed to receive DHCP responses, and if a false attackers DHCP response attempts to enter an untrusted port, the port will be disabled.

To configure all ports for different trusted and untrusted states will be a long and boring job to do so not every switch port needs to be configured to support DHCP snooping. If a port is not set to be a trusted port, it is by default considered to be an untrusted port. To configure DHCP snooping we need to type the following commands and in that way we will globally enable DHCP snooping:

Cisco

Switch1(config)#ip dhcp snooping

We have the possibility to enable DHCP snooping only for one of the VLANs that we have. To make this possible we use the global configuration mode command:

Switch1(config)#ip dhcp snooping vlan 1,60,150-175

This command will enable DHCP snooping for VLAN 1, VLAN 60 and for a range of VLANS from 150 to 175.

Enable the DHCP snooping feature is not enough, we need to make some specific switch interfaces to be trusted ports:

Switch1(config)#interface gigabitethernet 0/3
Switch1(config-if)#ip dhcp snooping trust

Special situation DoS attack

DoS attack against the DHCP server is another kind of attack that we can slow down by a special technique. This attack is special because the attacker can in this situation repeatedly request IP address assignments from the DHCP server and in this way drain the pool of addresses available from the DHCP server. The attacker can accomplish this by making the DHCP requests appear to come from different MAC addresses. To resolve this DoS attack, the DHCP snooping feature can be set to limit the number of DHCP messages per second that are allowed to pass the interface. In this way we will slow down or completely prevent a flood of spoofed DHCP requests. To set the limit of DHCP messages on a port to five messages per second we use this command:

Switch1(config)#interface gigabitethernet 0/5
Switch1(config-if)#ip dhcp snooping limit rate 5

Juniper

In this example, we will show how to enable DHCP snooping for Juniper device VLAN:

Configure DHCP snooping on the VLAN:

  1. Set the ge-0/0/8 interface as trusted:
    [edit ethernet-switching-options secure-access-port] 
    user@switch# set interface ge-0/0/8 dhcp-trusted
  2. Enable DHCP snooping on the VLAN:
    [edit ethernet-switching-options secure-access-port] 
    user@switch# set vlan employee-vlan examine-dhcp

To check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show
interface ge-0/0/8.0 {
dhcp-trusted;
}
vlan employee-vlan {
arp-inspection;
examine-dhcp;
}

Display the DHCP snooping information:

user@switch>show dhcp snooping binding
DHCP Snooping Information:
MAC Address         IP Address    Lease    Type     VLAN            Interface

-----------------   ----------    -----    ----     ----            ---------

00:05:85:3A:82:77    192.0.2.17    600    dynamic  employee-vlan   ge-0/0/1.0

00:05:85:3A:82:79    192.0.2.18    653    dynamic  employee-vlan   ge-0/0/1.0

00:05:85:3A:82:80    192.0.2.19    720    dynamic  employee-vlan   ge-0/0/2.0

00:05:85:3A:82:81    192.0.2.20    932    dynamic  employee-vlan   ge-0/0/2.0

00:05:85:3A:82:83    192.0.2.21   1230    dynamic  employee-vlan   ge-0/0/2.0

00:05:85:27:32:88    192.0.2.22   3200    dynamic  employee-vlan   ge-0/0/3.0

When the interface on which the DHCP server connects to the switch has been set to trusted, the output shows, for each MAC address, the assigned IP address and lease time—that is, the time, in seconds, remaining before the lease expires.

Leave a Reply