Introducing DHCP Snooping
DHCP concern is a ascendancy even affection that carefully monitors and restricts DHCP
operations on a VLAN. Ascendancy even agency the affection runs on the axial management
processor area it is accessible to accomplish deep-packet analysis operations. DHCP
snooping introduces the abstraction of trusted and untrusted ports central a accustomed VLAN.
NOTE For a quick analysis of the accomplish complex in a archetypal DHCP operation, analysis the beginning
of this chapter: DORA (Discover/Offer/Request/Ack).
Hosts accept no acumen to accomplish DHCPOFFER or DHCPACK messages; they are only
supposed to affair DHCPDISCOVER and DHCPREQUEST messages. This is where
DHCP concern comes into play: An untrusted anchorage does not let “bad” packets admission the
switch. Bad packets beggarly DHCPOFFER and DHCPACK if the anchorage in catechism is
connected to a host. Figure 5-6 demonstrates that the about-face blocks DHCPOFFER (and
DHCPACK and DHCPNAK) letters from the antagonist anchorage because they appear from an
untrusted port.
Figure 5-6 DHCP Snooping: Trusted and Untrusted Ports
OK DHCP
Responses:
Offer, Ack, Nak
BAD DHCP
Responses:
Offer, Ack, Nak
Trusted
DHCP Concern Enabled
Client
Attacker
Untrusted
Untrusted Switch
DHCP Server
STOP
Countermeasures to DHCP Exhaustion Attacks 97
Think of DHCP concern as a specialized firewall placed amid trusted and untrusted
ports. It works by accession activating IP-to-MAC bindings for anniversary anchored about-face port. By
peeking into DHCP packets, the about-face learns the IP abode that a DHCP server has
assigned to a accustomed applicant (identified by a altered MAC address) on a specific LAN anchorage in
a accustomed VLAN. The DHCP bounden admission consists of the quadruple
address, charter time, interface>. After an admission is created for a specific port, admission DHCP
messages are compared adjoin the bounden information. If the advice independent in the
packet does not bout the binding, an absurdity action is flagged, and the packet is
discarded. DHCP concern provides the afterward aegis features:
• Rate-limiting DHCP letters on a port
• DHCP bulletin validation
• Advantage 82 insertion/removal. Provides the DHCP server with advice about
which about-face and which anchorage on that about-face a DHCP appeal is advancing from
• Prevention of DoS advance through DHCP
The afterward sections explain these features.
Rate-Limiting DHCP Letters per Port
Each anchorage can be configured with a best alpha of DHCP packets it can accept per
second. After the alpha is crossed, the anchorage shuts bottomward to anticipate a DoS advance caused
by sending a connected beck of DHCP messages.
DHCP Bulletin Validation
For letters accustomed on trusted ports, no validation is performed. For letters received
on untrusted ports, the afterward accomplish are taken:
1 DHCP letters commonly exchanged from a DHCP server to a applicant are dropped.
These letters are DHCPOFFER, DHCPACK, and DHCPNAK.
2 DHCP letters with a nonzero broadcast agent/gateway IP abode (also alleged giaddr
field) or Advantage 82 abstracts are dropped.
3 DHCPRELEASE/DHCPDECLINE letters are absolute adjoin the binding-table
entries to anticipate a host from releasing/declining addresses busy to addition host.
4 DHCPDISCOVER messages, area the antecedent MAC abode does not bout the
client Hardware Abode field, are dropped. This helps to abate the DHCP
exhaustion attack. This analysis is performed alone if the DHCP concern MAC address
verification advantage is angry on.
The bounden table contains annal congenital from advice gleaned through DHCP packets.
A almanac consists of an IP address, a MAC address, a VLAN, a port, and a charter time. The
98 Chapter 5: Leveraging DHCP Weaknesses
IP abode is the abode assigned by the DHCP server; the MAC abode is the host’s MAC
address; the VLAN and anchorage fields analyze the anchorage to which the host is attached; and the
lease time specifies the aeon of authority of the DHCP abode assignment. The binding
table is complete as follows:
• Upon seeing a DHCPACK. Add a new bounden entry, if one doesn’t exist. This event
happens back the DHCP server assigns a new IP abode to a client.
• Upon seeing a DHCPNAK. Remove a bounden admission if one exists. The server sends
a DHCPNAK back a applicant attempts to reclaim a advanced allocated IP address, and
the server finds that it is invalid. (This could potentially appear if the applicant has moved
to a altered subnet, for example.)
• Upon seeing a DHCPRELEASE. Remove an absolute bounden entry. The client
decides to abandon its IP address.
• Upon seeing a DHCPDECLINE. Remove an absolute bounden entry. The applicant finds
out that the IP abode assigned by the server is already actuality acclimated by addition client;
therefore, it informs the server that the appointment is invalid.
The bounden table is alone maintained for untrusted ports.
NOTE It is accessible to actualize chiral changeless bindings for accessories that do not use DHCP. Here is how
to configure a changeless bounden of MAC abode 0000.0c00.40af to IP abode 10.42.0.6 on the
interface Gigabit Ethernet 1/1 with a pseudo-lease time of 1000 seconds:
IOS(conf) # ip dhcp concern bounden 0000.0c00.40af vlan 1 10.42.0.6
interface gi1/1 accomplishment 1000
Example 5-3 contains a appearance command that displays the bounden table from a about-face with
DHCP concern enabled.
NOTE Chapter 6, “Exploiting IPv4 ARP,” describes how the advice independent in the DHCP
snooping table is additionally acclimated to defeat Abode Resolution Protocol (ARP) attacks.
Example 5-3 A DHCP Concern Bounden Table
Switch# appearance ip dhcp concern binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------- ---------- ------- ---- ---------------
00:30:94:C2:EF:35 41.0.0.51 286 activating 41 FastEthernet0/3
00:D0:B7:1B:35:DE 41.0.0.52 237 activating 41 FastEthernet0/3
00:00:00:00:00:01 40.0.0.46 286 activating 40 FastEthernet0/9
00:00:00:00:00:03 42.0.0.33 286 activating 42 FastEthernet0/9
00:00:00:00:00:02 41.0.0.53 286 activating 41 FastEthernet0/9
Countermeasures to DHCP Exhaustion Attacks 99
DHCP concern can abate rogue server attacks by ensuring that all host ports are
configured as untrusted by default. This makes it absurd to accomplish a DHCP server off
such a port.
DHCP Concern with Advantage 82
DHCP Advantage 82 provides the DHCP server with advice about which about-face and
which anchorage on that about-face a DHCP appeal is advancing from. This advice is supplied via
Agent-ID and Circuit-ID subfields of the Relay-Information DHCP Option, as authentic in
RFC 3046. DHCP concern is Option-82 affable in the faculty that it can admit or remove
DHCP broadcast advice (Option-82 field) in forwarded DHCP appeal letters from
untrusted ports to the DHCP server.
With Advantage 82 enabled, the DHCP server can use the added advice to accredit IP
addresses, accomplish admission control, and set affection of account (QoS) and aegis behavior (or
other parameter-assignment policies) for anniversary DHCP client. Back the server allotment a
response, it additionally includes Option-82 information. Not all DHCP servers abutment Advantage 82,
however. At the time of this writing, a Google chase for “DHCP server advantage 82” returned
just a few hits, amid which Cisco Arrangement Registrar and Avaya’s server figured.
Moreover, the DHCP server developed by Internet Systems Consortium (ISC) can log
Option 82, which is alleged agent.circuit-id.
Tips for Deploying DHCP Snooping
The additional you globally accredit DHCP concern on the switch, be abiding that all DHCP
requests are alone until some ports are configured as trusted. By default, ports appear up
as untrusted; hence, all DHCP packets are alone by default. Cisco recommends that you
not configure the untrusted interface amount absolute to added than 100 packets per additional (pps).
The recommended amount absolute for anniversary untrusted applicant is 15 pps. Normally, the amount limit
applies to untrusted interfaces. If you appetite to set up amount attached for trusted interfaces, keep
in apperception that trusted interfaces accumulated all DHCP cartage in the switch; you charge to adjust
the amount absolute to a college value. Fine-tune this alpha depending on the network
configuration. The CPU should not accept DHCP packets at a abiding amount of added than
1000 pps, or abroad the CPU will absorb best of its time processing DHCP packets with little
time left, if any, to action added packets, such as ARP or Open Short Path First (OSPF).
(See Chapter 13, “Control Even Policing.”)
If you are enabling DHCP concern on a anchorage (access or trunk) bond two switches, and
the after about-face populates Advantage 82 in DHCP messages, accomplish abiding that you
configure the assurance accord with the after switch. On a Catalyst 6500 Series
switch, this assignment is able with the ip dhcp broadcast advice trusted VLAN
configuration command. Plan the deployment of DHCP concern able-bodied ahead. If possible,
schedule a aliment window back all users are off the network.
100 Chapter 5: Leveraging DHCP Weaknesses
Tips for Switches That Do Not Abutment DHCP Snooping
If your about-face does not abutment DHCP concern but does abutment anchorage or VLAN-based
access lists, it is still accessible to anticipate assertive DHCP attacks, such as the rogue server
example. Recall the account at the alpha of this chapter: DHCP audience broadcast
DHCPDISCOVER letters from UDP anchorage 68 to UDP anchorage 67. If you apperceive that a given
range of ports has no business active DHCP server services, configure an admission account that
blocks all UDP cartage from anchorage 67. This prevents rogue DHCP servers from operating on
the LAN. It does not, however, anticipate DHCP starvation attacks because the antagonist can
still accelerate assorted DHCPDISCOVERs to get assorted IP addresses busy to him.
NOTE As usual, all switches are not created according back it comes to adult aegis features,
such as DHCP snooping. Many switches in the Cisco artefact portfolio abutment DHCP
snooping, with accessory differences amid products. Consult the affidavit of your
particular LAN about-face to actuate what specific aspects of DHCP concern are supported.