What Is DHCP Snooping and How It Works?

In modern network environments, the Dynamic Host Configuration Protocol (DHCP) simplifies the assignment of IP addresses, but also poses security risks. To prevent such risks, network administrators can enable DHCP Snooping to enhance network security. This article will introduce the definition of DHCP snooping, how it works, common attacks prevented by DHCP snooping, and best practices to help you better understand DHCP snooping.

What Is DHCP Snooping and Why is DHCP snooping important?

DHCP Snooping is a Layer 2 security feature deployed on network switch to monitor and filter DHCP traffic. By classifying switch ports into “trusted” and “untrusted,”, DHCP snooping ensures that only authorized DHCP servers can respond to client requests. All DHCP communications from untrusted ports are scrutinized, and malicious or unexpected responses are dropped.

Specifically, DHCP Snooping feature performs the following activities:

Validates DHCP messages from untrusted sources and filters out invalid messages.

Builds and maintains the DHCP Snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP Snooping binding database to validate subsequent requests from untrusted hosts.

Through these mechanisms, DHCP Snooping effectively prevents unauthorized devices from acting as DHCP servers in the network, thus improving the overall security of the network. DHCP Snooping offers a number of benefits, such as:

IP Address Spoofing Prevention: DHCP Snooping protects against IP spoofing by allowing only authenticated DHCP transactions, preventing unauthorized devices from altering IP assignments within the network.

Defense Against Rogue DHCP Servers: Unauthorized DHCP servers can introduce incorrect configuration data, posing security risks. DHCP Snooping identifies and blocks these rogue servers, ensuring legitimate DHCP control.

Improved Network Reliability: By maintaining a dynamic binding table and validating DHCP traffic, DHCP Snooping supports network stability, prevents IP address conflicts, and ensures accurate IP configurations.

Protection from DHCP Starvation Attacks: These attacks aim to deplete a DHCP server’s IP address pool. DHCP Snooping mitigates this threat by regulating DHCP request flows and maintaining fair IP address distribution.

Securing VLAN Environments: In networks with multiple VLANs, DHCP Snooping adds a layer of protection by containing DHCP operations within individual VLANs, preventing cross-VLAN interference by unauthorized devices.

How DHCP Snooping Works?

To figure out how DHCP Snooping works, we must catch on the working mechanism of DHCP which stands for dynamic host configuration protocol. When DHCP is enabled, a network device that does not have an IP address will go through four phases of interaction with the DHCP server: Discover, Offer, Request, and Acknowledge. The details of each phase are shown in the following figure.

Port Classification

DHCP Snooping generally classifies interfaces on the switch into two categories: trusted and untrusted ports as shown in the following figure.

Trusted Ports: Ports through which legitimate DHCP server messages are expected. Typically, only uplink ports leading to a legitimate DHCP server are designated as trusted.

Untrusted Ports: This port is the port on which DHCP server messages are not trusted. If the DHCP Snooping is initiated, the DHCP offer message can only be sent through the trusted port. Otherwise, it will be dropped.

Message Inspection and Filtering

When a DHCP message enters a switch:

If it’s coming from an untrusted port and is a DHCP response (e.g., DHCPOFFER/DHCPACK), the switch drops it.

If it’s a DHCP request from an untrusted port, the switch forwards it to the trusted side (server or relay).

If it’s a legitimate response from a trusted port, the switch inspects the packet and updates its DHCP snooping binding table based on the client’s MAC address, assigned IP, VLAN, and port.

Binding Table Construction

In the acknowledgment stage, a DHCP binding table will be created according to the DHCP ACK message. It writes down the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host, as is shown in Figure 3. If the subsequent DHCP packet received from untrusted hosts fails to match with the information, it will be dropped.

	MAC Address	IP Address	Lease (sec)	Type	VLAN	Interface
Entry 1	e4-54-e8-9d-ab-42	10.32.96.19	2673	dhcp-snooping	10	Eth 1/23
Entry 2
Entry 3
...

Common Attacks Prevented by DHCP Snooping

DHCP snooping not only protects against simple DHCP spoofing attacks but also helps mitigate a variety of related threats. Below are some common attack vectors:

DHCP Spoofing Attack

Mechanism

In a DHCP spoofing attack, a malicious actor sets up a fake DHCP server in the network. This spoofed server responds to DHCP requests from clients by providing them with incorrect IP configurations, such as wrong IP addresses, gateways, and DNS servers. This behavior can lead to traffic interception, redirection to malicious websites, or even an entire network outage.

While both terms are often mentioned together, it's essential to understand the difference between DHCP spoofing vs snooping. DHCP spoofing is an attack technique used to manipulate network behavior, whereas DHCP snooping is a defense mechanism that monitors and controls DHCP traffic to prevent such manipulation. In short, spoofing aims to deceive, while snooping is designed to detect and block that deception before it causes harm.

How DHCP Snooping Helps:

DHCP Snooping mitigates this threat by establishing a trusted relationship with a specified DHCP server. It allows only DHCP to offer messages from trusted ports, effectively blocking any offer messages from untrusted sources. By filtering out unauthorized DHCP responses, DHCP Snooping ensures that clients receive only valid configurations from legitimate servers.

DHCP Starvation Attack

Mechanism

DHCP starvation attack commonly targets network DHCP servers, in a bid to flood the authorized DHCP server with DHCP REQUEST messages using spoofed source MAC addresses. The DHCP server will respond to all requests, not knowing this is a DHCP starvation attack, by assigning available IP addresses, resulting in the depletion of DHCP pool.

How DHCP Snooping Helps:

To tackle DHCP starvation attacks, DHCP snooping implements rate-limiting on trusted interfaces, controlling the number of DHCP requests that can be generated from a single source. By enforcing these limits, the DHCP server is protected from being overwhelmed by excessive requests. Additionally, DHCP snooping tracks MAC address assignments, ensuring any suspicious activities can be flagged and investigated quickly.

Man-in-the-Middle Attacks (via DHCP Spoofing)

Mechanism

In a man-in-the-middle attack, an attacker can intercept communications between a client and a legitimate server. This can be done in a variety of ways, including ARP spoofing, DNS spoofing, and so on. This allows the attacker to obtain sensitive information, tamper with data, or plant malicious content.

How DHCP Snooping Helps:

DHCP Snooping effectively stops man-in-the-middle attacks by ensuring that only authenticated DHCP servers are able to provide IP configurations. The binding database tracks legitimate IP address assignments and their corresponding MAC addresses. If a client receives a response from an untrusted source, the DHCP Snooping feature discards the response, preventing attackers from intercepting the communication.

How to Enable DHCP snooping?

DHCP Snooping is only applicable to wired users. As an access layer security feature, it is mostly enabled on any switch containing access ports in a VLAN serviced by DHCP.

Enabling DHCP Snooping on the switch typically includes the following steps:

Log in to the switch, then enter configuration mode

Enable the DHCP Snooping feature

Specify the VLANs to protect

Mark Trusted Ports

Configure rate limiting on Untrusted Ports (optional but recommended)

Verify the configuration and check the DHCP Snooping Binding Table

Please note that specific commands may vary depending on the switch model and operating system. During configuration, make sure that only ports connected to legitimate DHCP servers are set as trusted ports; other ports should remain untrusted.

Conclusion

In summary, DHCP snooping is a simple yet effective security feature that protects your network from DHCP spoofing attacks. Operating at Layer 2, it filters DHCP traffic from untrusted ports and applies rate limits to DHCP requests, preventing unauthorized devices from acting as rogue DHCP servers.

To safeguard your network and maintain stable, secure connectivity, it’s highly recommended to enable DHCP Snooping in your actual network environment—especially in enterprise and campus networks where DHCP-based threats are more likely.

Looking to implement DHCP Snooping effectively? Explore our range of managed switches that fully support DHCP Snooping and other advanced security features.