Overview of DHCP Snooping

Definition

Dynamic Host Configuration Protocol (DHCP) snooping is a DHCP security feature that functions in a similar way to a firewall between DHCP clients and servers. A DHCP-snooping-capable device monitors DHCP packets and uses information carried in the packets to create a DHCP snooping binding table. This table records hosts' media access control (MAC) addresses, IP addresses, IP address lease time, virtual local area network (VLAN) IDs, and interface information. The device uses this table to check the validity of received DHCP packets. If a DHCP reply packet is received from an untrusted interface, the device discards the packet.

Purpose

DHCP, which is widely used on networks, dynamically assigns IP addresses to clients and manages configuration information in a centralized manner. However, the following attacks may occur during DHCP packet forwarding.
  • Bogus DHCP server attack: Bogus DHCP servers disguise as legitimate DHCP servers to assign IP addresses to DHCP clients. As a result, DHCP clients obtain incorrect IP addresses and cannot go online.
  • Man-in-the-middle attack and IP/MAC spoofing attack: Attackers disguise as middlemen to communicate with DHCP clients and servers. Attackers can also forge DHCP packets by modifying the IP/MAC addresses carried in packets. As a result, services for authorized clients are affected.
  • DHCP exhaustion attack: Attackers disguise as authorized clients to send DHCP request packets for extending the IP address lease. As a result, DHCP servers cannot withdraw IP addresses assigned to clients.
  • DHCP starvation attack: Attackers apply to DHCP servers for IP addresses by sending a large number of DHCP request packets with varied MAC addresses in frame headers. As a result, IP addresses in the address pool are exhausted, and authorized clients cannot obtain IP addresses.
  • DHCP denial of service (DoS) attack: Attackers apply to DHCP servers for IP addresses by sending a large number of DHCP request packets with varied MAC addresses in client hardware address (CHADDR) fields. As a result, IP addresses in the address pool are exhausted, and authorized clients cannot obtain IP addresses.
To protect against these attacks, DHCP snooping offers the following attack defense policies.
Table 1 DHCP snooping attack defense policies

Attack Defense Type

Description

Protection Target

Defense against bogus DHCP server attacks

The device defends against attacks from bogus DHCP servers based on trusted and untrusted interfaces. The device allows you to configure network-side interfaces as trusted and user-side interfaces as untrusted. All DHCP reply packets received from untrusted interfaces are discarded.

You can also configure the whitelist function for DHCP snooping so that only DHCP packets listed in the whitelist are sent to the CPU and have binding entries generated. Packets not listed in the whitelist are simply forwarded using hardware.

These attack defense policies protect network communication against attacks from forged DHCP packets.

Defense against man-in-the-middle and IP/MAC spoofing attacks

After receiving an IP packet, the device checks whether the source IP address, source MAC address, VLAN ID, and interface information carried in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.

Defense against DHCP exhaustion attacks

After receiving a DHCP request packet, the device checks whether the source IP address, source MAC address, VLAN ID, and interface information carried in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.

Defense against DHCP starvation attacks

The device limits the number of MAC addresses that an interface can learn to defend against attacks by sending a large number of DHCP request packets with varied MAC addresses.

The attack defense policies prevent network communication against DHCP flood attacks.

Defense against DHCP DoS attacks

After receiving a DHCP request packet, the device checks whether the source MAC address in the CHADDR field matches that in the frame header. If they match, the device considers the packet valid and forwards it. If they do not match, the device considers the packet an attack packet and discards it.

Benefits

DHCP snooping offers the following benefits:
  • Protects devices against DHCP attacks to enhance device reliability and ensure stable network operating.
  • Offers clients service stability on a more secure network.
  • Whitelist-based filtering can be implemented for DHCP packets to be sent to the CPU on the AC and network sides of the UPE.
Parent Topic: DHCP Snooping Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >