DHCP Snooping

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks with malicious purpose..

DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The basic  use  for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients

 The attacker could also send DHCP discover messages to the DHCP server and try to deplete its DHCP pool. So what can we do to stop this madness? DHCP snooping can really help us!.DHCP Snooping allows the switch to serves as a firewall between host and untrusted DHCP server.
 We can configure our switches so they track the DHCP discover and DHCP offer messages.Check this out:

 DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
The interfaces that connect to the switch should never send DHCP offer and should be consider untrusted. The switch should block those untrusted DHCP offer message message.only an interface that has been properly and manually configure as trusted should be allow to forward DHCP discovery message

 What traffic will DHCP snooping drop?

• DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.
•  
• DHCP messages where the source MAC and embedded client hardware MAC do not match will also be dropped, although this protection can be defeated; badly written vendor IP implementations can cause this to happen with a surprising amount of frequency, the most common scenario being a DHCP request for one interface being forwarded through another interface on that same device.
•  
• DHCP snooping will also drop messages that release a lease or decline an offer, if the release or decline message is received on a switchport other than the port that the original DHCP conversation was held. This prevents a third party from terminating a lease or declining a DHCP offer on behalf of the actual DHCP client.

 How does DHCP snooping track information?

 DHCP snooping stores its observations in a database containing the client MAC address, DHCP assigned IP address, remaining lease time, VLAN, and switchport. The database is a simple flat-file that can be stored in device flash. However, flash is limited in size; as such, it’s considered best-practice to store the DHCP snooping off-box in a remote location, such as a TFTP server.

 Storing the DHCP snooping database off-box also guarantees that the DHCP snooping database would survive a catastrophic switch failure.

 What happens when a DHCP snooping violation occurs?

  When the DHCP snooping service detects a violation, the packet is dropped, and a message is logged that includes the text “DHCP_SNOOPING”.

So before we start I want you to understand a couple things:
 

1. We will use Packet Tracer for two reasons: We don't have to connect two DHCP servers as you will see here and we want to graphically see what we are doing.
2. We are going to make it in Packet tracer 7.It's very important that you do it in #7, because older PT won't be able to do work with snooping
3. Packet tracer 7 wont work in many windows 10 OS.Be aware
4. I didn't see a lot of labs of DHCP snooping on the web, so I humbly try to make one of my own.

 So we will start with the graphic so you could see the interfaces:

 

Them we will add  a router and the values that you will see:

 Now check on Server 0

 

it doesnt need a gateway so far because it's local and not providing service to another network 

Now we will go to service label, DHCP, we will call it MyPool , change values, add , ON

Now let's configure the router so it can have a Gateway

Now let's check on the other Server 1:

Change the values:

 

Where the pc's are going to get the information?

 But if you press static and dhcp again you can find a different result

In the process  the pc's are doing a DHCP discovery and they have two DHCP offers from two different DHCP servers including the fake one

To avoid that we will enable dhcp snooping on

Check the command. We are leaving out all the untrusted interface out (all of them .)
Do the same with  Switch 1.

Now check what happens to the PC's IP address:

The PC's can not get an IP address from the DHCP server. That IP address they have now (apipa)is auto generated and we can ping from the other pc:

 

We check the situation in the switch with the command show ip dhcp snooping.

The result is that is that the switch doesn't trust nobody

Now let's go to switch 0 to have a reliable interface.Check the commands

 We will do the same in the other switch:

We will fix the other interface on the first switch that connect to the "good " DHCP server with their trusted interface

we check the successful result in the PC: the right Ip address

We can have our ip pool flooded with DHCP offers.We can prevent an attack. We can stop the fake DHCP response as we mention at the beginning of this article  by allowing one response per second .
Let's go to the switch 1

We initially see the "Rate limit" of packets per second  we can accept : it's unlimited..But after the configuration we only allow 1 packet per second.

If you also wants to see the ip addresses, vlans,   and mac addresses related to dhcp snooping in a switch use the following command to verify the mapping in the binding database

If you are really concern about security with DHCP Snooping consider the following implementation guidelines:

1. In a multi switch environment designate an inter-switch link as trusted in case the other switch doesn't perform DHCP Snooping
2. To address DHCP starvation , deploy port security because it's more robust than DHCP rate limiting feature
3. Enable Network Time Protocol (NTP ) in our switches to ensure the right handling of  DHCP lease in the stored mapping database.We need to make sure our time is accurate in our devices

This lab is done!  I hope that you like it..Please like and share