DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is best explained with an example, so take a look at the picture below:
In the picture above, I have a DHCP server connected to the switch on the top left. At the bottom right, you see a legitimate client that would like to get an IP address. What if the l33t hacker script kiddy on the left would run DHCP server software on his computer? Who do you think will respond first to the DHCP discover message? The legitimate DHCP server or the script kiddy’s DHCP server software?
On larger networks, you will probably find a central DHCP server somewhere in the server farm. If an attacker runs a DHCP server in the same subnet, he will likely respond faster to the DHCP discover message of the client. If this succeeds, he might assign the client with the attacker’s IP address as the default gateway for a man-in-the-middle attack. Another option would be to send the attacker’s IP address as the DNS server so you can spoof websites, etc.
The attacker could also send DHCP discover messages to the DHCP server and try to deplete its DHCP pool. So what can we do to stop this madness? DHCP snooping to the rescue! We can configure our switches so they track the DHCP discover and DHCP offer messages. Here’s how:
Interfaces that connect to clients should never be allowed to send a DHCP offer message. We can enforce this by making them untrusted. An untrusted interface will block DHCP offer messages. Only an interface configured as trusted is allowed to forward DHCP offer messages. We can also rate-limit interfaces so they can’t send an unlimited amount of DHCP discover messages. This will prevent attacks from depleting the DHCP pool.
Let’s see how we can configure DHCP snooping…