Dynamic Host Configuration Protocol Snooping
DHCP Snooping is configured on switches and enable on layer 2 port, its function is same as ACL and packet filter firewall in router. It monitors the incoming DHCP messages and use the logic to filter the messages.(never filter non DHCP messages)
DHCP Snooping constantly monitors the DHCP packets to identify the attackers messages. If a message comes from a server side, it simply forwards the packet without any analysis. But when a packet comes from DHCP client side, it first checks the message, only DHCP client messages (Discover, request, release and decline) are allowed, if a server message (offer and acknowledge) come from client side then message is discarded.
How DHCP Snooping works?
To understand this, first you have to understand DHCP messages.
DHCP DORA messages:
D – Discover
O – Offer
There are 2 more messages which are sent by client DHCP release and DHCP decline message.
DHCP Client Messages- discover, request, dhcp release, dhcp decline
DHCP server Messges- offer and acknowledge
Note: By default, all ports are untrusted. To make server side as trusted, below command is used:
ip dhcp snooping trust.
In above diagram, you can see server is on trusted side and DHCP client is on untrusted network.
Here are the DHCP Snooping functions-
Examine all the incoming DHCP messages.
When a message comes from server (trusted) side, it always forward the packet.
When message come from client side, it always filters the packet. If DHCP server messages (offer and acknowledge) are received from client side, it discards the packet. Because we know on untrusted side clients are sitted there is no server, so if server message come from this side it may be a part of attack.
To filter DHCP client messages-
For discover and request message: DHCP message has a chaddr (client hardware address) field to identify the client. This field consist source MAC address information.
It checks the chaddr field (MAC address field) in DHCP message and Ethernet MAC address in frame. Only if both fields have same value, message is forwarded otherwise message is discarded.
In below image, you can see both fields are not same hence all these messages are discarded by switch.
For release and decline message : It checks the incoming interface and IP address versus DHCP binding table.
To understand this in more detail, first have a look on DHCP binding table fields.
DHCP binding table manages a list of all legitimate DHCP flows with above listed important parameters.
Now, in below image, you can see on client side there is a PC listed with MAC: 0200.1111.1111 and IP: 172.16.2.101. So, when a message delivers between PC1 to server, entries of parameter is added in DHCP snooping binding table that will be use in future for message analysis.
Now, you can see in below image, there is an attacker (PC2) that is trying to send a DHCP release message to server by coping the PC1 IP address. Now when this message will reach at switch it checks the DHCP binding table entry. In DHCP binding table 172.16.2.101 IP is map with G1/0/3 interface, hence switch dropped this packet (PC2 is connected on G1/0/5 interface).