Don't let hackers sneak into your network: In-depth analysis of DHCP Snooping

1. Overview of DHCP Working Principle

Before learning DHCP Snooping, we need to review the working principle of DHCP. The following analyzes the working principle of DHCP from two scenarios

1. DHCP without relay

DHCP without relay agent

(1) Discovery phase

The DHCP client requests services from the DHCP server in the LAN by broadcasting a DHCP Discover message.

(2) Provision phase

The DHCP server responds to the client through a DHCP Offer message based on the IP address pool, corresponding subnet mask, gateway and other information configured by itself.

(3) Request phase

If the configuration in the DHCP Offer message is accepted, the DHCP client broadcasts a DHCP Request message to inform the DHCP server and other hosts in the LAN of its effective IP address.

() Confirmation stage

After receiving the DHCP ACK message, the DHCP client will broadcast a free ARP message to detect whether there are other terminals in the network segment using the IP address assigned by the server.

2. DHCP relay scenario

DHCP relay scenario

(1) Discovery phase

After receiving the DHCP DISCOVER message broadcast by the DHCP client, the DHCP relay agent performs the following processing:

• Step 1: Check the hops field in the DHCP message. If it is greater than 16, discard the DHCP message. Otherwise, add 1 to the hops field (indicating that it has passed through a DHCP relay) and proceed to step 2.
• Step 2: Check the giaddr field in the DHCP message. If it is 0, set the giaddr field to the IP address of the interface that received the DHCP DISCOVER message. If it is not 0, do not modify the field and continue with step 3.
• Step 3: Change the destination IP address of the DHCP message to the IP address of the DHCP server or the next-hop relay, change the source address to the interface address of the relay connected to the client, and send the DHCP message to the DHCP server or the next-hop relay through routing forwarding.

(2) Provision phase

After receiving the DHCP DISCOVER message, the DHCP server selects an address pool with the same network segment as the giaddr field in the message, allocates an IP address and other parameters to the client, and then unicasts a DHCP OFFER message to the DHCP relay agent identified by the giaddr field.

After receiving the DHCP OFFER message, the DHCP relay agent performs the following processing:

• Step 1: Check the giaddr field in the message. If it is not the address of the interface, discard the message; otherwise, continue with the following operation.
• Step 2: The DHCP relay agent checks the broadcast flag of the message. If the broadcast flag is 1, the DHCP OFFER message is broadcast to the DHCP client; otherwise, the DHCP OFFER message is unicast to the DHCP client.

(3) Request phase

The process of processing the DHCP REQUEST message received by the relay from the client is the same as the "discovery phase".

(4) Confirmation stage

The process of the relay receiving the DHCP ACK message from the server is the same as the "providing phase".

II. DHCP Snooping Overview

To ensure the security of network communication services, DHCP Snooping technology is introduced to establish a firewall between DHCP Client and DHCP Server to resist various attacks against DHCP in the network.

DHCP Snooping is a security feature of DHCP that ensures that DHCP clients obtain IP addresses from legitimate DHCP servers. The DHCP server records the correspondence between the DHCP client's IP address and MAC address and other parameters to prevent attacks against DHCP on the network.

Currently, the DHCP protocol encounters many security issues during its application. There are some attacks against DHCP in the network, such as DHCP Server impersonator attacks, DHCP Server denial of service attacks, and spoofed DHCP message attacks.

DHCP Snooping mainly implements DHCP network security through the DHCP Snooping trust function and the DHCP Snooping binding table.

DHCP Snooping Trust Function

The trust function of DHCP Snooping can ensure that the client obtains an IP (Internet Protocol) address from a legitimate server.

As shown in the figure below, if there is a DHCP server impersonator set up privately in the network, the DHCP client may obtain the wrong IP address and network configuration parameters and fail to communicate normally. The DHCP Snooping trust function can control the source of the DHCP server response message to prevent the DHCP server impersonator that may exist in the network from assigning IP addresses and other configuration information to the DHCP client.

DHCP Snooping Trust Function Diagram

The DHCP Snooping trust function divides interfaces into trusted interfaces and untrusted interfaces:

• The trusted interface can normally receive DHCP ACK, DHCP NAK, and DHCP Offer messages from the DHCP server.
• DHCP OFFER, DHCP ACK, and DHCP NAK messages sent by the DHCP server and received by the untrusted interface will be directly discarded.
• The interface configured with the dhcp snooping enable command forwards DHCP request packets to all trusted interfaces after receiving them and discards DHCP response packets after receiving them.
• The interface configured with the dhcp snooping trusted command will forward the DHCP request message to all trusted interfaces after receiving it. If there is no other trusted interface, the DHCP request message will be discarded. After receiving the DHCP response message, it will only be forwarded to the interface connected to the corresponding client and configured with the dhcp snooping enable command. If the above interface is not found, the DHCP response message will be discarded.

3. DHCP Snooping Binding Table

DHCP Snooping Binding Table Functional Diagram

After the DHCP Snooping function is enabled on the Layer 2 access device, it extracts key information (including the PC's MAC address, the obtained IP address, and the address lease) from the received DHCP ACK message, and obtains information about the DHCP Snooping-enabled interface connected to the PC (including the interface number and the VLAN to which the interface belongs). Based on this information, it generates a DHCP Snooping binding table.

Since the DHCP Snooping binding table records the correspondence between DHCP client IP addresses and MAC addresses and other parameters, by matching the message with the DHCP Snooping binding table, it can effectively prevent attacks from illegal users.

The DHCP Snooping binding table ages according to the DHCP lease period or automatically deletes the corresponding entry according to the DHCP Release message sent by the user when releasing the IP address.

IV. Function of DHCP Snooping

DHCP snooping is used to prevent:

• DHCP Server Impersonator Attack
• Man-in-the-middle attacks and IP/MAC Spooping attacks
• DoS attack by changing CHADDR value

DHCP Snooping provides different working modes according to different attack types, as shown in the following table:

1. DHCP Server Impersonator Attack

(1) Attack Principle:

Since the DHCP request message is sent in broadcast form, the DHCP server impersonator can intercept this message. The DHCP server impersonator responds to the DHCP client with spoofed information, such as wrong gateway address, wrong DNS server, wrong IP, etc., to achieve the purpose of DoS (Deny of Service).

(2) Solution:

• To prevent attacks by bogus DHCP servers, you can use the Trusted/Untrusted working mode of DHCP Snooping.
• Set a physical interface or VLAN interface to "Trusted" or "Untrusted".
• All DHCP Reply (Offer, ACK, NAK) messages received from the "untrusted" interface are directly discarded, which can isolate the attack of the DHCP server impersonator.

2. DoS attack by changing CHADDR value

(1) Attack Principle:

The attacker continuously applies for a large number of IP addresses from the DHCP server until the IP addresses in the DHCP server's address pool are exhausted, causing the DHCP server to be unable to allocate IP addresses to normal users.

(2) Solution:

To prevent attacks by attackers who change the CHADDR value, you can configure the DHCP Snooping function on the device to check the CHADDR field in the DHCP Request message. If the field matches the source MAC in the data frame header, the message is forwarded; otherwise, the message is discarded. This ensures that legitimate users can use network services normally.

3. DHCP Man-in-the-Middle Attack

(1) Attack Principle:

The attacker uses the ARP mechanism to let the client learn the mapping relationship between the DHCP server IP and the attacker MAC, and let the server learn the mapping relationship between the client IP and the attacker Mac. In this way, all IP packets exchanged between the client and the server will be forwarded by the attacker. In essence, the man-in-the-middle attack is a spoofing IP/MAC attack. The man-in-the-middle uses the mapping relationship between the false IP address and the MAC address to deceive the DHCP client and server at the same time.

(2) Solution:

To defend against man-in-the-middle attacks and IP/MAC Spoofing attacks, you can use the binding table working mode of DHCP Snooping. When the interface receives an ARP or IP message, use the "source IP + source MAC" in the ARP or IP message to match the DHCP Snooping binding table. If it matches, it will be forwarded, otherwise it will be discarded.

V. Introduction to DHCP Snooping Configuration Commands

(1) Enable DHCP Snooping globally:

 [Huawei] dhcp snooping enable [ ipv4 | ipv6 ]

(2) Enable DHCP snooping in VLAN view:

 [Huawei-vlan2] dhcp snooping enable

When this command is executed in VLAN view, the command function takes effect on DHCP messages belonging to the VLAN received by all interfaces of the device.

(3) Configure the interface to be in the "trust" state in the VLAN view\

 [Huawei-vlan2] dhcp snooping trusted interface interface-type interface-number

If this command is executed in VLAN view, it takes effect only on DHCP messages belonging to this VLAN and received by the interface added to the VLAN.

(4) Enable DHCP snooping in interface view

 [Huawei-GigabitEthernet0/0/1] dhcp snooping enable

(5) Configure the interface to be in the "trusted" state in the interface view

 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted

By default, the device interface is in untrusted state.

(6) (Optional) Configuring DHCP messages with non-zero GIADDR fields to be discarded

 [Huawei] dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] }

Enables the function of detecting whether the GIADDR field in the DHCP Request message is non-zero. This command can be configured in VLAN view or interface view. If this command is executed in VLAN view, the command function will take effect on the DHCP messages belonging to the VLAN received by all interfaces of the device; if this command is executed in interface view, the command function will take effect on all DHCP messages under the interface.

DHCP Snooping Configuration Example

As shown in the figure, the basic configurations of DHCP and VLAN have been completed. Configure the DHCP snooping function on the Switch.

(1) Configuration method 1: Interface view

 [Switch] dhcp snooping enable ipv4 [Switch] interface GigabitEthernet 0/0/1 [Switch-GigabitEthernet0/0/1] dhcp snooping enable [Switch] interface GigabitEthernet 0/0/2 [Switch-GigabitEthernet0/0/2] dhcp snooping enable [Switch] interface GigabitEthernet 0/0/3 [Switch-GigabitEthernet0/0/3] dhcp snooping enable [Switch-GigabitEthernet0/0/3] dhcp snooping trusted

(2) Configuration method 2: VLAN view

 [Switch] dhcp snooping enable ipv4 [Switch] vlan 2 [Switch-vlan2] dhcp snooping enable [Switch] interface GigabitEthernet 0/0/3 [Switch-GigabitEthernet0/0/3] dhcp snooping trusted

Configuration verification Run the display dhcp snooping interface command to check the DHCP Snooping running information on the interface.

 [Switch]display dhcp snooping interface GigabitEthernet 0/0/3 DHCP snooping running information for interface GigabitEthernet0/0/3 : DHCP snooping : Enable Trusted interface : Yes Dhcp user max number : 1024 (default) Current dhcp user number : 0 Check dhcp-giaddr : Disable (default) Check dhcp-chaddr : Disable (default) Alarm dhcp-chaddr : Disable (default) Check dhcp-request : Disable (default) Alarm dhcp-request : Disable (default) ----- more ------