What Is DHCP Snooping and How It Works?
Updated at Jul 7th 20221 min read

"Why can't I access the network even if my laptop has acquired the IP address dynamically?" Have you encountered this issue in your daily life? Have you suspected the genuineness of the IP address? Whether it is from the authorized DHCP server? If not, how to prevent this from happening? In this post, a term DHCP Snooping will be introduced to help users to avoid illegal IP addresses.
What Is DHCP Snooping?
DHCP Snooping is a layer 2 security technology incorporated into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. DHCP Snooping prevents unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.
DHCP Snooping offers a number of benefits, such as increased security, reduced network downtime, and lower bandwidth consumption. It protects the network from a variety of attacks by validating DHCP messages and filtering out potentially malicious offers. This creates a more secure environment where only legitimate devices can communicate, thus protecting sensitive data and preventing unauthorized access. In addition, DHCP Snooping helps reduce network downtime due to unauthorized server activity by allowing only authorized DHCP servers to assign IP addresses. Finally, by limiting the number of devices that can obtain IP addresses from rogue DHCP servers, it effectively reduces the amount of bandwidth consumed by these devices.
The DHCP Snooping feature performs the following activities:
Validates DHCP messages from untrusted sources and filters out invalid messages.
Builds and maintains the DHCP Snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Utilizes the DHCP Snooping binding database to validate subsequent requests from untrusted hosts.
How DHCP Snooping Works?
To figure out how DHCP Snooping works, we must catch on the working mechanism of DHCP which stands for dynamic host configuration protocol. When DHCP is enabled, a network device that does not have an IP address will go through four phases of interaction with the DHCP server: Discover, Offer, Request, and Acknowledge. The details of each phase are shown in the following figure.

DHCP Snooping generally classifies interfaces on the switch into two categories: trusted and untrusted ports as shown in the following figure.
Trusted Ports: Ports through which legitimate DHCP server messages are expected. Typically, only uplink ports leading to a legitimate DHCP server are designated as trusted.
Untrusted Ports: This port is the port on which DHCP server messages are not trusted. If the DHCP Snooping is initiated, the DHCP offer message can only be sent through the trusted port. Otherwise, it will be dropped.

In the acknowledgment stage, a DHCP binding table will be created according to the DHCP ACK message. It writes down the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host, as is shown in Figure 3. If the subsequent DHCP packet received from untrusted hosts fails to match with the information, it will be dropped.
MAC Address | IP Address | Lease (sec) | Type | VLAN | Interface | |
Entry 1 | e4-54-e8-9d-ab-42 | 10.32.96.19 | 2673 | dhcp-snooping | 10 | Eth 1/23 |
Entry 2 | ||||||
Entry 3 | ||||||
... |
Common Attacks Prevented by DHCP Snooping
DHCP Spoofing Attack
In a DHCP spoofing attack, a malicious actor sets up a fake DHCP server in the network. This spoofed server responds to DHCP requests from clients by providing them with incorrect IP configurations, such as wrong IP addresses, gateways, and DNS servers. This behavior can lead to traffic interception, redirection to malicious websites, or even an entire network outage.
How DHCP Snooping Prevents This:
DHCP Snooping mitigates this threat by establishing a trusted relationship with a specified DHCP server. It allows only DHCP offer messages from trusted ports, effectively blocking any offer messages from untrusted sources. By filtering out unauthorized DHCP responses, DHCP Snooping ensures that clients receive only valid configurations from legitimate servers.
DHCP Starvation Attack
DHCP starvation attack commonly targets network DHCP servers, in a bid to flood the authorized DHCP server with DHCP REQUEST messages using spoofed source MAC addresses. The DHCP server will respond to all requests, not knowing this is a DHCP starvation attack, by assigning available IP addresses, resulting in the depletion of DHCP pool.
How DHCP Snooping Prevents This:
To tackle DHCP starvation attacks, DHCP snooping implements rate-limiting on trusted interfaces, controlling the number of DHCP requests that can be generated from a single source. By enforcing these limits, the DHCP server is protected from being overwhelmed by excessive requests. Additionally, DHCP snooping tracks MAC address assignments, ensuring any suspicious activities can be flagged and investigated quickly.
Man-in-the-Middle Attacks (via DHCP Spoofing)
In a man-in-the-middle attack, an attacker can intercept communications between a client and a legitimate server. This can be done in a variety of ways, including ARP spoofing, DNS spoofing, and so on. This allows the attacker to obtain sensitive information, tamper with data, or plant malicious content.
How DHCP Snooping Prevents This:
DHCP Snooping effectively stops man-in-the-middle attacks by ensuring that only authenticated DHCP servers are able to provide IP configurations. The binding database tracks legitimate IP address assignments and their corresponding MAC addresses. If a client receives a response from an untrusted source, the DHCP Snooping feature discards the response, preventing attackers from intercepting the communication.
How to Enable DHCP snooping?
DHCP Snooping is only applicable to wired users. As an access layer security feature, it is mostly enabled on any switch containing access ports in a VLAN serviced by DHCP. When deploying DHCP Snooping, you need to set up the trusted ports (the ports through which legitimate DHCP server messages will flow) before enabling DHCP Snooping on the VLAN you wish to protect. This can be realized in both the CLI interface and also the Web GUI.
Conclusion
Though DHCP simplifies the IP addressing, it raises security concerns at the same time. To address the concerns, DHCP Snooping, one of the protection mechanisms can prevent the invalid DHCP addresses from the rogue DHCP server and can ward off the resource-exhausting attack that attempts to use up all existing DHCP addresses. FS S5860-20SQ switches can give full play to this feature to protect your network.
Related Articles