This chapter covers
- DHCP-based attacks such as DHCP poisoning
- How DHCP Snooping protects against DHCP-based attacks
- Configuring DHCP Snooping on Cisco IOS switches
DHCP is almost ubiquitous in modern networks, allowing for the automatic configuration of IP addresses, netmasks, default gateways, DNS servers, and other configuration information on hosts; we covered DHCP in chapter 4. However, DHCP contains vulnerabilities that can be exploited if sufficient care is not taken. We looked at one example in chapter 11: DHCP exhaustion, which is a type of DoS attack that prevents legitimate user devices from leasing IP addresses from a DHCP server.
In this chapter, we’ll cover DHCP Snooping, a security feature on Cisco switches that protects against DHCP-based attacks by inspecting DHCP messages as they are received by the switch. DHCP Snooping is part of CCNA exam topic 5.7: Configure and verify Layer 2 security features (DHCP Snooping, Dynamic ARP Inspection, and Port Security).
13.1 DHCP-based attacks
Although DHCP is an essential part of modern networks, attackers can exploit it to harm the confidentiality, integrity, and availability of a network. We have already covered DHCP exhaustion attacks and how Port Security can be used to mitigate against them. In this section, we’ll look at how DHCP can be exploited to perform a man-in-the-middle attack: DHCP poisoning.