Rogue dhcp: what it is and how to stop it on your network using dhcp snooping.

The good thing about networking is that you do not need all the configurations in this world to get your network up and running. A few lines of commands will get you up and running in no time. The bad thing however, is that the little things you overlook may come back to hunt. In this piece, we will look at dhcp snooping and why it is important you use it to guard against rogue dhcp on your network.
For a dhcp client that connects to your networks, a process known as DORA will take place. First the client discovers the server, then the server offers an address, the client picks one of the addresses that have been offered, and finally, the server acknowledges the request and  the address becomes leased to the client.
As good as the process is, cyber criminals have found vulnerabilities in it.
For example, the client does not know if the discovered dhcp server is the legitimate dhcp server; it only sends out a discovery request and the server responds. Man-in-the-middle attacks happen when users run applications on a connected computer on the LAN that promotes such computer to a dhcp server. Once this happens, the system can quickly respond to dhcp discovery request from clients. The system serving as a rogue dhcp server will lease out IPs as well as its own IP as the default gateway. This means that all traffics from the hosts will be forwarded via the rogue dhcp server. The user on that system (rouge dhcp server) can then use a packet sniffer to sniff and analyze user packets.
You may also like:  How to configure multiple dhcp for different vlans in Cisco Packet Tracer 

To guard against things like this, network administrators are to configure dhcp snooping on a switchport to allow a dhcp server to be plugged to it. What this means is that if a port has not been configured as a trusted port and a system connected to that port is promoted to a dhcp server, that port will be disabled.  If the router acts as the dhcp server for the LAN, then the port on which the router is connected must be configured as a trusted port. If a local server is serving as a dhcp server for the LAN, then the port on which it is connected must be configured as a dhcp trusted port. Below commands show how it is configured:

How to configure dhcp snooping

sw1(config)#ip dhcp snooping vlan 1
sw1(config)#ip dhcp snooping 
sw1(config)#int f0/1
sw1(config-if)#ip dhcp snooping trust
That is all that is required to guard against rogue dhcp/man-in-the-middle attacks on your network. To verify, use the privilege-level command #show ip dhcp snooping binding 


Spread the love

Leave a Comment