What is DHCP Snooping?

Many of us have heard the term DHCP Snooping. But, what is DHCP Snooping basically?
DHCP or Dynamic Host Configuration Protocol is a standardized network protocol that is used to dynamically distribute network parameters such as IP addresses to network devices. For example, when a network device in a network needs an IP address, it requests it to the DHCP server and automatically gets it, without the intervention of the network administrator.
But, we have already discussed attacks like ARP Spoofing Attack, where an attacker sends a falsified ARP message to link his IP address to the victim machine’s MAC address and intercepts the traffic of the victim machine to steal sensitive information.

What is DHCP Snooping?

Is there any security measure that we can take in DHCP infrastructure to prevent this type of attacks?
Yes, the answer is DHCP Snooping.
DHCP Snooping is a series of techniques applied to an existing DHCP infrastructure that works more like a firewall between untrusted hosts in the network and trusted DHCP servers.

What are trusted and untrusted hosts?

In an enterprise network, a trusted host is a device which is under your administrative control. These trusted hosts include the switches, routers, and servers in the network.
Any device which is beyond the firewall or outside the network is an untrusted host.
DHCP Snooping, like a firewall, validates the DHCP messages and filters out the invalid ones.
Whenever it assigns a IP address to a untrusted host, maintains the information in a database. It makes sure hosts use only IP addresses assigned to them.
With DHCP Snooping, only a whitelist of IP addresses may access the network. The whitelist is configured in the switch port level and DHCP servers manage the access control.
An attacker controlled DHCP server can cause malfunction of the network or even can control it. DHCP Snooping prevents an attacker from adding their own DHCP servers to the network.
DHCP Snooping is a strong defense against ARP Spoofing attack. It checks the source IP address of ARP packets and if that IP address does not match with the IP address the network device has previously used, it drops the ARP packet.

Are there any implementations of DHCP Snooping?

Yes, there are a couple of implementations. To mention a few:
  • Cisco catalyst switches have inbuilt DHCP Snooping capability
  • HP ProCurve switches also have DHCP Snooping capability
  • Brocade Communications Systems ICX-series switches and VDX products with layer-3 functionality are capable of running DHCP snooping
  • Avaya Ethernet Routing Switches are also capable of DHCP Snooping
So, be informed about all the security vulnerabilities and take steps to prevent them.

Leave a Reply