What is DHCP Snooping?

The Dynamic Host Con­fig­ur­a­tion Protocol (DHCP) makes con­fig­ur­ing networks easier. Today, instead of in­di­vidu­ally setting up every client, every PC, every smart­phone and every network-com­pat­ible device, we mostly use DHCP. In­di­vidu­al network users receive their IP addresses, subnet masks and other in­form­a­tion via a server. This not only sim­pli­fies working with large networks, it also minimises sources of error. Because the address as­sign­ment process is dynamic, it isn’t possible for two devices to be assigned the same IP address. It also reduces the required address space. If the device leaves the network, the IP address can auto­mat­ic­ally be re­approved for a new network user.

At the same time, however, this sim­pli­fic­a­tion creates a gateway for criminals. When you rely on someone else to do the work for you, you hand over some of your control. As a result, things can be happening in the back­ground that you never find out about. This can also happen with DHCP, however, there is a solution: The fraud­u­lent use of DHCP can be countered with so-called “DHCP snooping”. How does this security tech­no­logy work?

When using DHCP, a server ensures that in­di­vidu­al clients receive their con­fig­ur­a­tions. For this to happen, the client must first send a request to the network via broadcast. In doing so, the network user wishes to determine which DHCP servers are available and able to respond. All available DHCP servers reply to this request. Should there be several active servers within the network, the client chooses the one whose answer reaches them first. With this DHCP server, the client then receives the address as­sign­ment. This is the point where we normally encounter the system’s weak spot, where it’s ac­cess­ible for criminals.

It is possible to introduce other servers (so-called rogue DHCP servers) into the network. If one of these manages to reach the client first with a response, the network user receives the con­fig­ur­a­tion info via the malicious server. The rogue DHCP server will then send erroneous or ma­nip­u­lated data. As a result, the client is in­cor­rectly setup in the network. This makes it possible to route the client to a wrong gateway — otherwise known as DHCP spoofing. Criminals can record data transfers via the gateway in order to obtain sensitive in­form­a­tion. This is also referred to as a man-in-the-middle attack. The as­sign­ment of incorrect addresses, in contrast, can lead to a denial-of-service attack, resulting in the paralysis of the entire network. DHCP snooping prevents malicious servers from es­tab­lish­ing contact.

DHCP snooping, however, not only protects from criminal schemes, but also from error sources that occur through the ir­re­spons­ible use of ad­di­tion­al routers. If a new router is installed into an already existing network, it can confuse the DHCP. The new router then assigns addresses that in fact should not be assigned. This can lead to con­nec­tion errors. Es­pe­cially within the context of business op­er­a­tions, it can cause problems when employees add their own devices to the network without informing the network ad­min­is­trat­or about it.

DHCP snooping is a layer two security function according to the OSI model. The function is installed in the switch that connects clients to the DHCP servers. In simple terms, it is a protocol that first checks all DHCP in­form­a­tion that passes through the switch. Only approved packages from trusted servers are allowed through to clients.

In order to make sure that only the right servers can intervene in the con­fig­ur­a­tion info as­sign­ment process, DHCP snooping relies on several steps. First, you establish a secure port for your server or servers. Any devices at­tempt­ing to join the network through another port are to be con­sidered unsafe. This includes all clients. It means that a host running a DHCP server that isn’t au­thor­ised by the ad­min­is­trat­or is con­sidered unsafe. Now, should a DHCP package come through a port that can only be sent by one server (DHCPOFFER, DHCPACK, DHCPMAK) the switch blocks it from being forwarded. No clients will receive the in­form­a­tion.

An attacker can also try to disrupt the network by pre­tend­ing to be one of the existing clients, and, under this identity, rejecting offers from the DHCP server. This is why DHCP snooping uses a database that the system creates and updates on its own. The protocol reads through all the DHCP in­form­a­tion (but not the actual data after the suc­cess­ful con­nec­tion) and extracts details for the DHCP Snooping Binding Database.

The system includes all hosts in the database that are running on an untrusted port. The gathered in­form­a­tion comprises the MAC address, the assigned IP address, the switch­port used, the logical subnet (VLAN), and the lease time duration. This way DHCP snooping can ensure that only the original clients who par­ti­cip­ated in the com­mu­nic­a­tion can send commands to the server, as it is only in these cases that the MAC address and switch­port conform with the in­form­a­tion stored in the database.

In addition, many devices can generate a defense mech­an­isms report within the DHCP snooping framework. The logs can be forwarded and sub­sequently analysed. The doc­u­ment­a­tion for the process dis­tin­guishes between two errors: on the one hand, the dis­crep­ancy between the current MAC address and the info stored in the database, and on the other hand, server packages that are sent via an untrusted port.

The first type of error message is most often caused by poorly-im­ple­men­ted network aspects in a client device, so it is usually not a cause for concern. The second type of error message, however, refers to criminal in­ten­tions. It means that someone has de­lib­er­ately attempted to in­filt­rate the network with a rogue DHCP server. Because DHCP snooping logs everything, you can initiate target-oriented in­vest­ig­a­tions of such incidents.

You obtain even more security through the ac­tiv­a­tion of Option 82, also known as DHCP relay agent in­form­a­tion. With this, the switch actively enables com­mu­nic­a­tion between the client and server. This course of action is sensible if clients and servers are not located in the same subnet. When the client sends a request to the DHCP server, the switch adds ad­di­tion­al in­form­a­tion to the request’s header. The latter enables the server to locate the switch, and with it, the client’s location.

The DHCP server sorts out the ad­di­tion­al in­form­a­tion and assigns IP addresses depending on their location info. The server sends the response package back to the client via the switch. If it reaches the switch, the latter re­cog­nises from the in­form­a­tion still contained in the package that the com­mu­nic­a­tion is in fact passing through it. The device then deletes the Option 82 data from the header and forwards the response.