Layer 2 security – DHCP Details, DHCP Snooping

DHCP Snooping - This article is the first of a series explaining layer 2 attacks identification and mitigation techniques, which will be a part of a bigger series discussing Security Infrastructure.  

We will be discussing the most common attacks and how to mitigate them; but more important, we will discuss deployment and design considerations.  

During this series of articles, I will follow two different approaches;  

1) Explain attacks related to OSI model layers (Like this layer2 security series)

2) Securing a specific traffic flow (Like securing user Internet traffic)  

There will also be video lectures, webinars, and open discussions at the end of each major part. If you are interested in security infrastructure architecture, stay tuned.  

Background:  

Dynamic Host Configuration Protocol (DHCP) is a protocol designed to dynamically assign network configuration to clients/hosts that require IP connectivity. DHCP uses 4 types of messages; Discovery, Offer, Request, acknowledge (DORA); and the process goes like this: The client sends a discovery (DHCPDiscover) broadcast message looking for a DHCP server. DHCP server replies with an offer (DHCPOffer) broadcast message containing an IP address lease.

The client accepts the offer by broadcasting a request (DHCPRequest) message back to the DHCP server. DHCP replies with and acknowledges (DHCPAcknowledgment) broadcast message to the client. In a typical deployment client and DHCP server don’t exist in the same layer 2 domain; there will be multiple layer 3 hops between them. Now, as you noticed the DHCP (DORA) messages are all broadcast messages. So how will the client communicate with the DHCP server and vice versa? Typically, a client is connected to a switch; the switch can act as a DHCP relay agent. A DHCP relay agent receives DHCP messages from the client and sends it to the DHCP server configured on the switch on behalf of the client as a unicast message using the “giaddr” (Gateway IP Address) filed.

  There are 4 other DHCP messages:

  1. DHCPInform: Client uses this message to request DHCP options from a DHCP server.
  2. DHCPNak: When DHCP is not able to provide IPs, it will reply with a DHCPNack (Negative Acknowledge).
  3. DHCPDecline: If the configuration received by the client is invalid; the client will reply with a decline message.
  4. DHCPRelease: The client sends a release request to DHCP server to release the IP address assigned to it.


DHCP Threats


DHCP starvation: An attacker keeps sending DHCP requests until the whole scope is exhausted on the DHCP server and other legitimate clients can’t find IP addresses which will cause a denial of service for the whole scope/VLAN. Rogue DHCP server: Where an attacker places himself as a DHCP server and start leasing IP addresses to legitimate clients from a wrong scope causing a denial of service for all clients in that scope.

This could also happen unintentionally, like when an employee brings his wireless router and plugs it to the company switch. Forged release and decline messages: An attacker can manipulate DHCPRelease, or DHCPDecline messages forcing the server to release of decline registration of legitimate clients. IP addresses will become available for leasing by the server which will lead to duplicate IP addresses that will cause issues in the network.

DHCP Snooping: DHCP snooping is a mechanism that provides protection to clients from rogue DHCP servers. Almost all of switches support DHCP snooping.

   

Figure 1 - DHCP Snooping. source h3c.com.hk

How it works

After activating DHCP snooping, it will start monitoring DHCP messages from and to clients connecting to the network, once a client receives a DHCPAcknowledgment message from the server, DHCP snooping will create an entry contains the client IP address MAC address, lease time, VLAN, and interface in a database file called the “Binding Table”. DHCP snooping allows administrators to identify which ports are trusted to receive DHCP messages from and which are not. Uplinks leading to the DHCP server are identified as trusted, while all other access ports are identified as untrusted.


Dropping rouge DHCP messages


Snooping will drop DHCP messages following the below criteria: If the source MAC address of the of the client mismatch the “CHADDR” field in the DHCPDiscover message; snooping will drop it. This mitigates the DHCP starvation attacks. If the switch receives a DHCPOffer or DHCPAcknowledgment message on an untrusted port, it drops and logs it. This will mitigate rouge DHCP server attacks. Snooping will also drop and log any DHCPRelease or DHCPDecline messages from clients if they are not sent from the same interface that originated the first DHCP messages exchange with the server. That mitigates the forged messages attacks. (See Figure 1)

   

Figure 2 - Cascaded switches. source h3c.com.hk

DHCP deployment considerations:

Most vendors automatically mark access ports as untrusted and trunk ports (uplinks) as trusted. If there are cascaded switches, consider changing those trunk ports to untrusted. (See Figure 2)

Binding table is very important, as a best practice, consider saving the database file to a TFTP server; that way, when the switch crashes, it can still retrieve the database file and resume clients’ operations quickly; especially when combining DHCP snooping with Dynamic ARP Inspection or IP Source Guard. In the next article we will be discussing Dynamic ARP Inspection; which is another layer 2 security technique that builds upon DHCP snooping.

Created by
Orhan Ergun

Orhan Ergun, CCIE/CCDE Trainer, Author of Many Networking Books, Network Design Advisor, and Cisco Champion 2019/2020/2021

He created OrhanErgun.Net 10 years ago and has been serving the IT industry with his renowned and awarded training.

Wrote many books, mostly on Network Design, joined many IETF RFCs, gave Public talks at many Forums, and mentored thousands of his students.  

Today, with his carefully selected instructors, OrhanErgun.Net is providing IT courses to tens of thousands of IT engineers. 

View profile

Daniel Lardeux
Daniel Lardeux Senior Network Consultant at Post Telecom

I passed the CCDE Practical exam and Orhan’s CCDE course was very important contributor to my success. I attended the CCDE course of Orhan Ergun in July and it was exactly what I needed, Orhan is taking the pain to break down the different technologies.

Roy Lexmond
Roy Lexmond Senior Network Designer at Routz CCDE #20150017 & CCIE R&S; #26557

After I attended Orhan Ergun’s CCDE course I passed the CCDE practical exam.I really enjoyed the course a lot ...

Nicholas Russo
Nicholas Russo Network Consulting Engineer (CCDE/CCIEx2), Cisc

I signed up for Orhan’s CCDE training. This training is very technically detailed and the use-cases, quizzes, scenarios, and mind maps are all great resources in the overall training program. Orhan teaches his students to think like a network designer ...

Slide Heading
Slide Heading Network Systems Engineer at Conscia A/S CCIE #42544 (SP) & CCDE #20160015

Orhan is forcing you to take off the implementation hat that most of us have been wearing for many years, instead he is providing a new fancy design hat, which makes you see and deal with the issues presented ...

Kim Pedersen
Kim Pedersen CCIE in RS and SP (#29189) CCDE#20170021

I’ve used Orhan’s self-paced CCDE training material. If you are interested in knowing how all the technologies go together in a coherent design i can highly recommend it.I also enjoyed the Quizzes which helped pick out my weak spots in selecting ...

Laurent Metzger
Laurent Metzger 3xCCIE/CCDE Senior Network Architect

Hi Orhan. I passed the CCDE exam on February 22. I read everything that you put on your Self Paced CCDE Training course and it was very helpful in my success. Thank you very much.

Martin J. Duggan
Martin J. Duggan Network Architect at AT&T;, Ciscopress Author CCDE #20160006 & CCIE#7942

I attended Orhan’s April 201610 days CCDE Bootcamp. I am CCDE now !

You can tell Orhan has a great deal of experience, it really comes through when he presents his design case studies and the CCDE Practical scenarios.

Muhammad Abubakar
Muhammad Abubakar Lead Network Architect – CCDE #20160016 2xCCIE #26693 2xJNCIE VCIX

Your excellent CCDE materials and amazing Bootcamp helped me tremendously through my learning journey.Also thank you very much for being available whenever I have a design question or a complex design topics. I can’t compare your design skills ...

Jennifer Pai
Jennifer Pai Network/Security Engineer at KNET Technology

Thanks Orhan very much for this course. It helped strengthen my “Network design mind”.

Ruslan Silyayev
Ruslan Silyayev Solution Architect at R.I.S.K Company

Training by Orhan is not a CCDE preperation training only. It will be useful for engineers which are dealing with design. You want to pass CCDE exam or learn network design, then don’t look at anywhere else!

Sameer Meher
Sameer Meher Solutions Architect at 23 Wards/Japan

Orhan Ergun’s CCDE course was really very good. CCDE Level Intelligence was delivered very well and with very useful case studies and the scenarios, I am thankful to Orhan for all his help!

Ken Young
Ken Young Senior Technical Architect Province of Nova Scotia, 2xCCIE #41597 | CCDE #20170047

If anyone wants to understand network design and architecture, also pass CCDE exam , I recommend you to attend Orhan’s online courses! I am a CCDE now but learning is a journey, we will be together in your other courses too Orhan!

Matt Cross
Matt Cross Technical Architect at Heartland – CCDE #2019::7

Orhan did an excellent job of filling in the gaps of knowledge that I had that took me to the finish line of the practical exam CCDE. The community of people that Orhan facilitates are both engaging and supportive of the journey to CCDE. Orhan ...

Shiling Ding
Shiling Ding Sentinel Technologies – CCDE #2019::12

Just passed the CCDE Practical exam! I attended Orhan Ergun’s CCDE training program , used Orhan’s Instructor Led and Self-Paced CCDE training and Online CCDE Practical Scenarios during my CCDE journey. Orhan’s CCDE In Depth book is an excellent summary ...

Abelardo Basurto
Abelardo Basurto Solutions Architect at Cisco Systems – CCDE 2018::6

Hi everyone, I’ve just passed the CCDE Exam. My Number is CCDE 2018::6 I attended to Online CCDE Bootcamp of Orhan. I want to thank Orhan not only for the great book and bootcamp, but also for his commitment, availability and willingness to assist the ...

Hady Mohamed Abdellah
Hady Mohamed Abdellah Network Architect Hamad International Airport Qatar – CCDE 2018::1

Hi guys, I’m so happy that I passed the exam. I’ve already got my number CCDE 2018::1. Thanks to Orhan for being the best CCDE instructor in the world. I highly recomend Orhan’s CCDE Training and In-Depth-CCDE ...

Bryan Bartik
Bryan Bartik Sr. Systems Engineer at CompuNet – CCDE 20170059

Hi Orhan I passed CCDE Practical exam on November 2017 ! I really enjoyed your materials and quizzes and use cases. They were definitely helpful in my preparation. Thanks a lot !

Giedrius Trapkauskas
Giedrius Trapkauskas Network Solutions Architect at Liberty Global – CCDE 20180004

I attended Orhan’s CCDE Training in Istanbul and it was very helpful in my preparation. I passed the exam recently and I want to say Thank you Orhan! For those who want to pass the CCDE exam, definitely start with ...

Alaa Issa
Alaa Issa Sr.Solutions Architect – CCDE#20180033 3xCCIE ( Collab|DC|Security )#27146

I registered to Orhan’s training in Feb 2017. From that time, I attended Orhan’s training several times. The depth of knowledge which Orhan has is amazing, and how to present such consistent knowledge to the ...

Mazin Ahsan Design Lead Engineer | Solutions Engineer | CCDE License # 20160030 | CCIE Licence # 23892

I passed the CCDE Practical Lab exam on November 17,2016 from supplications of elders and dedication from my Sensei Mr. Orhan Ergun I took different CCDE bootcamps in the past. Orhan has the most depth and expertise ...

Jeff Patterson CCDE# 2018::11

Hi Orhan I wanted to pass along my appreciation for the outstanding training material. I used the online CCDE training provided by Orhan as well as the In-Depth-CCDE book and passed the exam in February 2018. Thank you Orhan!

Mehdi Sfar
Mehdi Sfar Network and Security Architect / CCDE #20210003 | CCIE R&S; #51583

I signed up for Orhan’s CCDE Self paced Course. This course, along with the CCDE In Depth book, helped me for my CCDE Practical as well as Written exams. It pushed me to ask the "WHY" questions and allowed ...

Related courses

Network Design Fundamentals Course

02:28:37 Hours
17 Lectures
Beginner

$50

Layer 2 Network Design Training

02:16:18 Hours
17 Lectures
Intermediate

$40

Introduction to Junos Security Course

01:52:18 Hours
13 Lectures
Beginner

$20