Overview of DHCP Snooping
DHCP snooping defends against the attacks launched using DHCP messages.
Definition
The Dynamic Host Configuration
Protocol (DHCP) snooping, a DHCP security feature, filters untrusted
DHCP messages by creating and maintaining a binding table. This binding
table contains the following items:
- MAC addresses
- IP addresses
- IP leases
- Binding types
- VLAN IDs
- Interface information
Objective
DHCP snooping is used to prevent
the following problems:
- DHCP denial of service (DoS) attacks
- Bogus DHCP server attacks
- Address Resolution Protocol (ARP) middleman attacks
- IP/MAC spoofing attacks
A DHCP-enabled device supports the following features
to secure data transmission:
- MAC address limitation
- DHCP snooping binding table
- Bindings of IP and MAC addresses
- Option 82
DHCP snooping can apply to both Layer-2 and Layer-3 interfaces as shown in Figure 1 and Figure 2.
DHCP snooping is used to prevent the following attacks:
DHCP exhaustion attacks
Bogus DHCP server attacks
Middleman attack and IP/MAC spoofing attacks
DoS attacks initiated by changing CHADDRs
The DHCP snooping working modes vary with the types of attacks, as shown in Table 1.
Attack Type |
DHCP Snooping Working Mode |
|---|---|
DHCP exhaustion attack |
MAC address limitation |
Bogus DHCP server attack |
Trusted/untrusted |
Middleman attack or IP/MAC address spoofing attack |
DHCP snooping binding table |
DoS attack initiated by changing CHADDRs |
Check on CHADDR fields in DHCP messages |