4.4.g DHCP Spoofing

When a host connects to a network it will send a ‘DHCP Discovery’ message (Broadcast) asking for an IP address. The DHCP server on the network will receive this message and respond with a ‘DHCP Offer’ the host will receive this message and in return will send back a ‘DHCP Request’ which basically tells the DHCP server that it is happy with the IP address it has been offered, finally the server with send back a ‘DHCP Ack’ telling the host ok its all yours.

So as you may have noticed there are 4 DHCP messages used here. A good way to remember them is using an image of DORA The Explorer. There are 2 server and 2 client (host) messages.

  • DHCP Discovery (client/host)
  • DHCP Offer (DHCP server)
  • DHCP Request (client/host)
  • DHCP Ack (DHCP server)

DHCP Spoofing

DHCP spoofing is where an attacker adds a rogue DHCP server to the network. As part of the attack they will also launch a DHCP starvation attack.  A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such as “the gobbler”. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers.

The next step is to make the rogue DHCP available on the network to hand out new IP addresses, default gateway and DNS configuration from a different subnet range. Client devices will get an IP address from this range along with a default gateway pointing to the rogue DHCP server. If a client needs to get off its local subnet it will send the traffic to the default gateway in this case the rogue DHCP server, we now have what is known as a MITM (Man In The Middle). Because the attacker is so nice he or she will forward the request onto the correct default gateway so the clients traffic can get to where it needs to and the client will never know someone has carried out a Man In The Middle attack using DHCP Spoofing.

DHCP Snooping

What can be done to stop this attack from being successful? We can enable a feature called DHCP Snooping on our switch. This puts all switch ports into Untrusted mode. When a port is in this state it blocks the server DHCP messages from being allowed on the port (DHCP Offer, DHCP Ack). This will stop an attacker that is running software that acts as a DHCP server on their computer from successfully sending DHCP server messages on the network. To allow the real DHCP server reply to DHCP Discovery messages we make the port that the real DHCP is on a ‘Trusted port’. This port is allowed to pass ALL DHCP messages on it.

Enable DHCP Snooping

To enable DHCP Snooping on a switch use the following commands.

#ip dhcp snooping (globally)

Remember by default all ports become untrusted ports. So to allow the real DHCP server in your network respond to DHCP Discovery messages you must make the port a trusted port.

#interface fa0/1

#ip dhcp snooping trust

You also have to set it on your VLANs

#ip dhcp snooping vlan 1,3,5

One thing to note is if you have multiple switches in your network connected via trunk ports so for example SW1 is an access switch and SW2 is core switch which has the DHCP server on it you need to set the trunk port on the access switch to a trusted port to allow the DHCP messages across that link.