Mitigate DHCP Attacks

DHCP Attack Review

The goal of a DHCP starvation attack is to create a Denial of Service (DoS) for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler uses a unique source MAC address for each DHCP request sent.

However, mitigating DHCP spoofing attacks requires more protection. Gobbler could be configured to use the actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the DHCP payload. This would render port security ineffective because the source MAC address would be legitimate.

DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.

DHCP Snooping

DHCP snooping does not rely on source MAC addresses. Instead, DHCP snooping determines whether DHCP messages are from an administratively configured trusted or untrusted source. It then filters DHCP messages and rate-limits DHCP traffic from untrusted sources.

Devices under your administrative control, such as switches, routers, and servers, are trusted sources. Any device beyond the firewall or outside your network is an untrusted source. In addition, all access ports are generally treated as untrusted sources. The figure shows an example of trusted and untrusted ports.

The diagram shows a D H C P server at the upper right side of topology that is connected to a distribution switch below it. The distribution switch is connected to another distribution switch to the left of the diagram and access switch below it. The other distribution switch has an access switch connected below it. Both access switches have a connection to both distribution switches, but to each other. The access switch on the right has a P C below it and the other access switch has a P C with a rogue character under it. The diagram shows a purple square for trusted ports and a red circle for untrusted ports. There is are purple squares between the D H C P server and the distribution switch, as well as between each link between all of the switches. However, there is a red circle between the two P Cs and the access switches.


Mitigate ARP Attacks