To address the concerns, DHCP Snooping, one of the protection mechanisms can prevent the invalid DHCP addresses from the rogue DHCP server and can ward off the resource-exhausting attack that attempts to use up all existing DHCP addresses. Though DHCP simplifies the IP addressing, it raises security concerns at the same time. This can be realized in both the CLI interface and also the Web GUI. When deploying DHCP Snooping, you need to set up the trusted ports (the ports through which legitimate DHCP server messages will flow) before enabling DHCP Snooping on the VLAN you wish to protect. As an access layer security feature, it is mostly enabled on any switch containing access ports in a VLAN serviced by DHCP. How to Enable DHCP snooping?ĭHCP Snooping is only applicable to wired users. The DHCP server will respond to all requests, not knowing this is a DHCP starvation attack, by assigning available IP addresses, resulting in the depletion of DHCP pool. DHCP Starvation AttackĭHCP starvation attack commonly targets network DHCP servers, in a bid to flood the authorized DHCP server with DHCP REQUEST messages using spoofed source MAC addresses. With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by flooding the real DHCP server with requests to choke IP address resources. If the subsequent DHCP packet received from untrusted hosts fails to match with the information, it will be dropped.Ĭommon Attacks Prevented by DHCP Snooping DHCP Spoofing AttackĭHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list itself (spoof) as the default gateway or DNS server, hence, initiating a man in the middle attack. It writes down the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host, as is shown in Figure 3. In the acknowledgment stage, a DHCP binding table will be created according to the DHCP ACK message. If the DHCP Snooping is initiated, the DHCP offer message can only be sent through the trusted port. An untrusted port is a port from which DHCP server messages are not trusted. A trusted port is a port or source whose DHCP server messages are trusted. With DHCP enabled, a network device without IP address will "interact" with the DHCP server through 4 stages as follows.ĭHCP Snooping generally classifies interfaces on the switch into two categories: trusted and untrusted ports as shown in Figure 2. To figure out how DHCP Snooping works, we must catch on the working mechanism of DHCP which stands for dynamic host configuration protocol. Utilizes the DHCP Snooping binding database to validate subsequent requests from untrusted hosts.
0 kommentar(er)
