My CCNA notes on DHCP Snooping were a little bit longer than I expected. I was going to put DHCP Snooping and Dynamic ARP Inspection into the same blog post but it would have been too long. 🙂 I personally prefer to read when studying or troubleshooting. YouTube's chapter markers help and make it quicker to find stuff but I still prefer blog posts but enough about me and my preferences, what's the deal with all this snooping?
Table of Contents
- What is DHCP Snooping and why does it matter?
- DHCP Snooping - How does it work?
What is DHCP Snooping and why does it matter?
Man in the middle - ARP Poisoning
- Let's imagine somebody breached your network and setup a PC or software in your network that responds to DHCP requests.
- John Wayne, who works for E-Corp returns with his laptop on Monday morning and wants to connect to the company network. He needs an IP address so his computer sends out a DHCPDISCOVER message.
- The attacker's PC (software), acting as a DHCP server, replies to the DHCPDISCOVER with a DHCPOFFER.
- John Wayne's computer accepts the offer and gets a legit IP address for the subnet, and a correct subnet mask, but the default router (gateway) is the attackers PC, not the legitimate default gateway. Hence, all network traffick generated by John Wayne flows through the attackers PC, creating a man-in-the-middle attack. John Wayne has no idea since everything works on his end because the attacker forwards the traffic to the legit router but he keeps a copy of anything sent by John Wayne on his machine.
- This only works if the attackers PC responds before the legit DHCP server responds, most likely the attackers PC will respond first since it's likely on the same network, no need to relay the DHCP request. The legit DHCP server will still get the DHCPREQUEST message, and reply with a DHCPOFFER but if the attacker is first, the offer will be declined by John Wayne's PC.
- A starvation attack is when an attacker uses spoofed MAC addresses to flood DHCP discover messages. This could lead to the DHCP pool to run out of addresses, resulting in a denial-of-service to other devices.
- A DHCP discover message includes the CHADDR (client hardware address or MAC). An attacker could spoof this MAC address and make it different from the source address in the frame. If the DHCP server is on the same subnet as the PC sending the discover message it wouldn't need the CHADDR field but most often the DHCP server is on another subnet, so we have to route the discovery message. That means the source MAC address can't be the PC's anymore but the MAC address of the routers exit interface. Remember that the source and destination IP address do not change as packets are routed towards their destination but the source and destination MAC address changes at each segment. The MAC address is only locally significant and changes on each hop.
DHCP Snooping - How does it work?
- While DHCP itself provides a Layer 3 service, DHCP Snooping operates on LAN switches and is commonly used on Layer 2 LAN switches and enabled on Layer 2 ports.
- By enabling DHCP snooping, you are telling the switch to ignore all DHCP server meessages on ports that are not explicitly trusted. You must tell the switch what specific port leads to the real DHCP server, that port needs to be trusted. Ports are either trusted or untrusted. On a trusted port, DHCP messages will be forwarded; trusted ports do not filter any DHCP messages. DHCP server messages received on an untrusted port will be discarded. DHCP client messages are checked to see if they are valid. DHCP Snooping does that by comparing the frames source MAC address and CHADDR field to see if they match. If they match then the frame is forwarded, if not, it's discarded. This method is not bulletproof since the attacker could spoof both fields and make them match.
- It's helpful to understand how the DHCP process flows. A handy way to remember it is to remember DORA: Discover, Offer, Request, Acknowledge.
- Clients send Discover and Request.
- Servers send Offer and Acknowledgement.
The filtering process
- DHCP Snooping does a simple check for the most common client-sent messages: DISCOVER and REQUEST. DHCP messages define the CHADDR (client hardware address or MAC address) field to identify the client. All hosts on LANs include the device's MAC address as a part of the CHADDR. Ethernet hosts encapsulate the DHCP messages inside Ethernet frames, and those frames include a source MAC address. That MAC address should be the same MAC address used in the DHCP CHADDR field, DHCP Snooping compares these two values to make sure they are the same.
DHCP Snooping Binding Table
- DHCP Snooping builds the DHCP Snooping table for all the DHCP flows it allows to complete. This table has some important facts for any working legitimate DHCP flows.
- DHCP clients can send two more messages, not only Discover and Request, but also Release and Decline. An attacker can fake a release request for an IP address in order to try and receive that IP address from the DHCP server, but DHCP snooping on the switch compares the incoming message, incoming interface, and the entries in the Snoop Binding table before forwarding the message. The message is discarded if all of these don't match with the DHCP Snooping binding table.
- You need issue a couple of global commands to enable DHCP Snooping. The first one enables it globally on the switch.
ip dhcp snooping
- Then you need to enable it on the VLAN you want. Global config command.
ip dhcp snooping vlan 1
- The following command disables the insertion of Option 82 to DHCP messages the switch receives. The switch will not add any DHCP relay information. Why is it a good idea to disable the insertion of Option 82? By default, Cisco switches that have DHCP Snooping enabled add Option 82, and this default setting can stop DHCP from working for end users because most DHCP servers and most DHCP relay agents ignore the received DHCP messages. Option 82 works well if the switch is a layer 3 switch and acting as a DHCP relay agent. DHCP messages with Option 82 should only come from DHCP relay agents. This is an interface subcommand.
no ip dhcp snooping information option
- We must make the port trusted that's facing the DHCP server.
ip dhcp snooping trust
- To limit the rate at which DHCP messages are allowed to enter an interface. If the rate of DHCP messages crosses the configured limit, the interface is err-disabled. Like with Port Security, the interface can be manually re-enabled, or automatically re-enabled with errdisable recovery. This is done on the interface level and limits the DHCP message to 10 per second. Rate-limiting can be useful to protect against DHCP exhaustion attacks.
ip dhcp snopping limit rate 10
- Execute this global command to enable the feature of automatic recovery from err-disabled mode, assuming the switch placed the port in err-disabled state because of exceeding DHCP Snooping rate limits.
errdisable recovery cause dhcp-rate-limit
- You can set the time to wait before recovering from an interface err-disabled state (regardless of the cause of the err-disabled state). This is a global command and 30 = 30 seconds.
errdisable recovery interval 30
- To see the DHCP leases.
sh ip dhcp snooping binding
show ip dhcp snooping database
- To see the configuration.
sh ip dhcp snooping
- If you are having problems, turn on debug.
debug ip dhcp snooping packet
- If you are not using the console port, remember to turn on terminal monitoring. You can read about it here.
- Jeremy's IT Lab on DHCP Snooping - YouTube.
- Keith Barker on DHCP Snooping - YouTube.
- Hit me up on Twitter or LinkedIn. 🙂