DHCP Snooping
| Done |
|---|
It is a feature available at Cisco switches that is able to mitigate certain DHCP related attacks. It does that by filtering DHCP messages in untrusted ports.
Uplink ports → Trusted ports
Downlink ports → Untrusted ports
💡
NOTE: Uplink ports are the ones that point away from the end devices, while Downlink ports are the ones that does point to the hosts. Uplink ports will be directed to the network infrastructure, therefore, no user devices are expected to used such ports.
🚨
IMPORTANT: All ports are considered untrusted by default, with no pre-configuration.
It helps mitigate the following DHCP related attacks:
- DHCP Starvation: It happens when a threat hooks a malicious software capable of flooding the network with Discover messages by using MAC Spoofing
- DHCP Poisoning (Spoofing): This time the threat uses a Spurious DHCP Server that tries to answer DHCP Discover messages with an Offer faster than the legitimate DHCP Server. By doing this, it is able to specify its address as the default gateway in the DHCP Pool, so it can receive the messages destinated to outside the LAN (Default`s Gateway Job), therefore being able to view/modify such frames before actually sending them to the legitimate default gateway (similar to ARP Spoofing).
How DHCP Spoofing works
If it receives a DHCP message on a trusted port, it will forward it.
However, if it receives a DHCP message in a untrusted port, it will inspect it:
- If it is a DHCP Server message, discard it
- If it is a DHCP Client message, do the following:
- Discover/Request = Check if the Source MAC Address and the CHADDR match, if not, discard it.
- This is useful to prevent DHCP Starvation attacks that don`t fully MAC spoof.
- Release/Decline = Check if the source interface matches the IP address in the DHCP Snooping Binding Table, if not, discard it.
- This is useful to prevent a threat from sending a message in behalf of a user`s device.
- Discover/Request = Check if the Source MAC Address and the CHADDR match, if not, discard it.
- If it has Option 82 in the DHCP message, it will discard it.
- (Optional) If the maximum number of DHCP messages reaches the limited configured value, it will but the interface into err-disaled.
- This can be done via ip dhcp snooping limit rate {messages-per-second}
- This will put the interface into err-disabled if the condition is met.
- The err-disable recovery feature is errdisable recovery cause dhcp-rate limit
💡
NOTE: The is a table with associations between MAC Address, IP Address, Lease time, VLAN and interface called DHCP Snooping Binding Table. It can be seen with show ip dhcp snooping binding
💡
NOTE: Cisco Switches if the DHCP Snooping feature enabled will add the Option 82 to the DHCP message, which is a feature of DHCP Relay Agents. This could lead to a lot of problems if the switch is not a DHCP Relay Agent or is connected to another switch with DHCP Snooping, so it is recommended to disable it as said in the configuration section.
Configure
- Enable DHCP Snooping
configure terminal [no] ip dhcp snooping ip dhcp snooping vlan {vlan id} //Must be enabled on the VLANs to work no ip dhcp snooping information option //Disables Option 82
- Select the interfaces to trust (By elimination, the rest will be untrusted)
interface g0/0 //EXAMPLE ip dhcp snooping trust