top of page
Search
  • Writer's pictureMcCube
    • Jul 12, 2022
    • 5 min read

Dive into DHCP Snooping




Introduction


So, for some reason, I love DHCP when it comes to labs. Not because it makes life easier when you have lots of devices to address, but because it is an asset for troubleshooting LAN side problems. It's just nice to have a DHCP server in your lab and network. Like every other piece of kit however it is susceptible to attacks.


One form of attack is a DHCP starvation attack. This is where a "Threat Actor" sends a large number of illegitimate requests for IP addresses, using some kind of IP gobbler tool . The server (doing what it does best) leases all available IP addresses. Then when an actual client wishes to join the network, no addresses are available. This is a simple DoS (Denial of Service) attack preventing end users from connecting to your network.


Another form of attack is a rogue DHCP server, where a threat actor tries to offer illegitimate IP information to legitimate clients. This may not sound too mischievous at first but is likely to be more problematic if not addressed. This is because rogue DHCP could be the start of a bigger attack where the target is data, not disruption. At the very least this kind of attack will result in a Man-in-the-Middle attack.


Obviously, these are problems we need to address. The solution is DHCP snooping. This layer 2 tool allows us to set up "Trusted" and "Untrusted" ports. It's worthwhile addressing the terms now because they are a little misleading and you may make an incorrect assumption. Trusted - Refers to interface(s) that your DHCP server is connected to. A trusted source of DHCP leased addresses. Untrusted - Is literally every other interface. Even interfaces that connect to your equipment that you know requires an address.



Instructions


In this lab (Download lab pack here) we will demonstrate both attacks, then configure and test DHCP snooping to address the attacks.

  1. View attacks in action

  2. Set up DHCP snooping

  3. Attempt attacks again


Topology



IP Table


Device

Interface

IP Address

DHCP Server

Eth0

192.168.1.254/24

DHCP Clients

Eth0

192.168.1.0/24

DHCP Gobbler

Multiple

192.168.1.0/24

Rogue DHCP Server

Eth0

172.16.66.254/24


Activity

Part 1 - View attacks in Action

Lets' get into it.

Step 1 - Attack in Action

Firstly, it is worthwhile looking at the DHCP server configuration settings to know what we are working with.


In Packet Tracer


DHCP is configured to start at 192.168.1.20 and (importantly to this lab) is set to only lease a maximum of 20 addresses.


Now, let's test that DHCP is working as it should. Go to the PC-A, set it to obtain an ip address automatically. If it is successful, you should get an ip address that you could check using the command line.


C:\>ipconfig /all
FastEthernet0 Connection:(default port)

   Connection-specific DNS Suffix..: 
   Physical Address................: 00E0.B065.4D91
   Link-local IPv6 Address.........: FE80::2E0:B0FF:FE65:4D91
   IPv6 Address....................: ::
   IPv4 Address....................: 192.168.1.20
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: ::
                                     192.168.1.1
   DHCP Servers....................: 192.168.1.254
   DHCPv6 IAID.....................: 
   DHCPv6 Client DUID..............: 00-01-00-01-38-76-B2-E2-00-E0-B0-65-4D-91
   DNS Servers.....................: ::
                                     8.8.8.8
C:\>

Step 2 - The Gobbler

Now you will want to connect the DHCP gobbler to the network.

In packet tracer this is a "Cloud Network" consisting of multiple machines all connected to a switch to simulate the software that would achieve this from a single device.

In packet Tracer, connect (switch to simulation mode if you want to see what happens)

DHCP Gobbler>HackSwitch>GigabitEthernet0/2 to McCube-S1> FastEthernet0/24


At this point, the DHCP gobbler will consume all available DHCP addresses. Now connect PC-B to McCube-S1 (any port) and set IP configuration to automatic. You will now get an APIPA Address.

C:\> ipconfig /all
FastEthernet0 Connection:(default port)
   Connection-specific DNS Suffix..: 
   Physical Address................: 00E0.F774.CE37
   Link-local IPv6 Address.........: FE80::2E0:F7FF:FE74:CE37
   IPv6 Address....................: ::
   Autoconfiguration IP Address....: 169.254.206.55
   Subnet Mask.....................: 255.255.0.0
   Default Gateway.................: ::
                                     0.0.0.0
   DHCP Servers....................: 192.168.0.1
   DHCPv6 IAID.....................: 
   DHCPv6 Client DUID..............: 00-01-00-01-A4-6E-60-CC-00-E0-F7-74-CE-37
   DNS Servers.....................: ::
                                     0.0.0.0

Notice that the information about the DHCP servers address is correct.


Step 3 - Rogue DHCP Server

If you connect the Rogue DHCP server to any switch port on McCube-S1, then connect PC-C to any available port on the switch. Review the information that PC-C receives. 


C:\> ipconfig /all 
FastEthernet0 Connection:(default port)
   Connection-specific DNS Suffix..: 
   Physical Address................: 0060.3ED3.173B
   Link-local IPv6 Address.........: FE80::260:3EFF:FED3:173B
   IPv6 Address....................: ::
   IPv4 Address....................: 172.16.66.122
   Subnet Mask.....................: 255.255.255.0
   Default Gateway.................: ::
                                     172.16.66.254
   DHCP Servers....................: 172.16.66.254
   DHCPv6 IAID.....................: 
   DHCPv6 Client DUID..............: 00-01-00-01-3B-AA-99-9E-00-60-3E-D3-17-3B
   DNS Servers.....................: ::
                                     6.6.6.6

You will see that PC-C now has illegitimate information.


Note* - when you have 2 DHCP servers in a network the first to reply to the DHCP Discover message is most likely to be the chosen option. If the legitimate DHCP server is in a remote network (as is common), it is more likely the hackers DHCP (being a device connected to the LAN) will be first to reply.


Part 2 - Set Up DHCP Snooping

Before continuing, you will need to reopen the entire activity. This is the quickest way to reset everything.


Step 1 - Enable DHCP Snooping

DHCP snooping is not on by default so this will need to be turned on from global configuration mode. 

McCube-S1#
McCube-S1# conf t
McCube-S1(config)# ip dhcp snooping 
McCube-S1(config)#

Step 2 - Configure Trusted Ports

The next step is to configure the interface we trust to be the source of our DHCP information. In this case FastEthernet 0/1 on McCube-S1. 

McCube-S1(config)#
McCube-S1(config)# interface fastethernet0/1
McCube-S1(config-if)# ip dhcp snooping trust
McCube-S1(config-if)# exit
McCube-S1(config)#

Step 3 - Configure untrusted ports

In this lab every over interface is considered untrustworthy. The task here is to force interfaces to shut down, should a large amount of DHCP requests come through within a set amount of time (in seconds). OR Should an untrusted interface try to respond to a DHCP Discover message.


To achieve this on all interfaces we will use the range command, followed but the IP snooping rate limit command. 

McCube-S1(config)#
McCube-S1(config)# interface range f0/2-24 , g0/1-2
McCube-S1(config-if-range)# ip dhcp snooping limit rate 2
McCube-S1(config-if-range)#

Part 3 - Attempt attacks again


  1. Set PC-A to gain an IP address automatically, should be successful.

  2. Connect HackSwitch G0/2 to any port on McCube-S1. McCube-S1 interface should go down.

  3. Connect PC-B to any port on McCube-S1, configure it to gain an IP address automatically, should be successful.

  4. Connect Rogue DHCP server to any port on McCube-S1.

  5. Connect PC-C to any port on McCube-S1, configure it to gain an IP address automatically. Should be successful.

  6. Notice that the Rogue DHCP server details are not used


Other Verifications

To Verify your trusted port configuration, you can use the show "ip dhcp snooping" command 

McCube-S1# show ip dhcp snooping 
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                  Trusted    Rate limit (pps)
-----------------------    -------    ----------------
FastEthernet0/2            no         2               
FastEthernet0/3            no         2               
FastEthernet0/4            no         2               
FastEthernet0/5            no         2               
FastEthernet0/6            no         2               
FastEthernet0/7            no         2               
FastEthernet0/8            no         2               
FastEthernet0/9            no         2               
FastEthernet0/10           no         2               
FastEthernet0/11           no         2               
FastEthernet0/12           no         2               
FastEthernet0/13           no         2               
FastEthernet0/14           no         2               
FastEthernet0/15           no         2               
FastEthernet0/1            yes        unlimited       
FastEthernet0/23           no         2               
GigabitEthernet0/1         no         2               
GigabitEthernet0/2         no         2               
FastEthernet0/20           no         2               
FastEthernet0/18           no         2               
FastEthernet0/17           no         2               
FastEthernet0/19           no         2               
FastEthernet0/16           no         2               
FastEthernet0/21           no         2               
FastEthernet0/22           no         2               
FastEthernet0/24           no         2               
McCube-S1#

66 views0 comments

Recent Posts

See All
bottom of page