Manage Learn to apply best practices and optimize your operations.

Take steps to defend your network using DHCP snooping

Learn how to enable DHCP snooping to secure your network against common breaches including man in the middle attacks and ARP poisoning.

The numbers vary on whether insiders or outsiders are the greater security threat to the enterprise, and the line continues to blur. And if an organization has architected its network in a way that includes using insecure systems and protocols, the network infrastructure could be at risk. For example, sometimes securing a Layer 2 protocol like Dynamic Host Configuration Protocol (DHCP) is overlooked. DHCP is an example of a helper protocol that works in the background, and most end users don't give much thought to it. The fact that it doesn't get much attention means it's a potential attack vector that may go unnoticed. DHCP snooping is one such control that can be used to prevent many common attacks.

DHCP can be targeted in several different ways, including everything from rogue DHCP servers or Address Resolution Protocol (ARP) poisoning of the local switched network. Not all incidents are malicious ones. As an example, an end user might attach a networking device or router with DHCP enabled, and as a result, potentially give your users an invalid DHCP address. An attacker might also simply launch a resource-exhausting attack and attempt to use up all existing DHCP addresses. A more sinister approach is where an attacker actively attempts to redirect your users to his DHCP server. These represent just a few of the reasons you need DHCP snooping.

DHCP required reading

Working with DHCP: Read the tutorial

Troubleshooting DHCP servers

Defend yourself against rogue DHCP server malware

The mechanics of this type of man-in-the-middle attack would require a hacker to set up his own DHCP server. Next the attacker would broadcast forged DHCP requests and attempt to lease all of the available DHCP addresses in the DHCP scope. As a result, legitimate users would be unable to obtain or renew IP addresses for the DHCP server. Then the attacker would start his rogue DHCP server and start to hand out DHCP addresses with his address as the new gateway. End users receiving these addresses would be redirected to the attacker before being allowed out to the Internet. This results in compromised network access.

The scenario above is just another variation on the classic man-in-the-middle attack. The technique clearly places the attacker in-line and offers him the ability to sniff the client's traffic. In case you're thinking this type of attack is far-fetched, a host of tools like Gobbler, DHCPstarv and Yersinia have been designed to thwart these activities.

Setting up DHCP snooping on your existing switches

DHCP snooping, which is implemented at the data link layer via your existing switches, can stop attacks and block unauthorized DHCP servers. It enables a Layer 2 switch to inspect frames received on a specific port to see if they are legitimate DHCP offers.

This Layer 2 process comprises several steps. First you need to enable DHCP globally on the switch and then enable it on each individual virtual LAN (VLAN). Finally, you must configure each port that will be trusted.

Here is an example of how to enable DHCP snooping:

Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 30

Switch(config)#interface gigabitethernet1/0/1

Switch(config-if)#ip dhcp snooping trust

In this example, DHCP snooping has been enabled globally and then for VLAN 30. The only trusted interface is gigabitEthernet1/0/1. DHCP snooping helps ensure that hosts only use the IP addresses assigned to them and validates that only authorized DHCP servers are accessible. Once implemented, DHCP snooping drops DHCP messages that are not from a trusted DHCP server.

Prevent ARP cache poisoning with DHCP snooping

DHCP snooping can also track the physical location of hosts and help prevent (ARP) cache poisoning. It plays a key role in the prevention of these attacks, as you can use DHCP snooping to drop DHCP messages where the source and destination MAC addresses do not match what has been previously defined. Administrators are notified of violations via a DHCP snooping alert. When the DHCP snooping service detects a violation, it logs a message to the syslog server that states, "DHCP Snooping."

DHCP snooping is a good first step to securing Layer 2 traffic. Rogue DHCP servers not only cause network issues, but they also are used by attackers to redirect sensitive traffic and launch man-in-the-middle attacks. If you have not already done so, consider implementing this defensive control to secure your network infrastructure.

About the author:
Michael Gregg, CISSP, CISA, CISM, CASP, is an "ethical hacker" who provides cybersecurity and penetration-testing services to Fortune 500 companies and U.S. government agencies. He's published more than a dozen books on IT security and is a well-known speaker and security trainer. Gregg is chief operations officer of Superior Solutions Inc., headquartered in Houston.

This was last published in October 2013

Dig Deeper on Network Security Best Practices and Products