DHCP Snooping

DHCP based Attack : Consider scenario given below. Attacker has connected his laptop to network and act as fake DHCP Server.
As we know that initial DHCP’s DORA messages exchange between DHCP client and server uses broadcast address.

DHCP snooping : DHCP snooping is done on switches that connects end devices to prevent DHCP based attack. Basically DHCP
snooping divides interfaces of switch into two parts
Trusted Ports – All the ports which connects management controlled devices like switches, routers, servers etc are made trusted
ports.
Untrusted Ports – All the ports that connect end devices like PC, Laptops, Access points etc are made untrusted port.
We know that DHCP address leasing is done after exchange of DORA messages between DHCP client and server. Two messages
Discover and Request comes from client side and two messages Offer and Acknowledgement comes from server side. Using
these information, DHCP snooping works in following manner
If trusted port receive Offer and Acknowledgement messages, then do nothing just let them pass.
If untrusted ports receive Offer and Acknowledgement messages, then messages are blocked as they are message from DHCP
server. Untrusted port are port that should be connected to DHCP server.

The logic of DHCP untrusted port can be bit more confusing. All real user population connects to untrusted port. A network
administrator can’t know which are legitimate user and which are attackers. DHCP snooping function keeps record of leased
address to user in DHCP Binding Table. This table contains record of interface, VLAN, MAC-address to which IP address is leased.
This checks problem of identity theft in LAN. DHCP snooping can also be configured to limit number of request arriving any
interface. This helps in preventing DOS attacks that can consume entire address space or overload DHCP server.