Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2842
Views
0
Helpful
5
Replies

Dhcp spoofing attack

Go to solution
PietroPoliseno27977
Spotlight
Spotlight

‎05-22-2021 09:04 AM - edited ‎05-22-2021 09:07 AM

Hello everyone, I would like a clarification. If on the untrusted ports I configure dhcp snooping and go on, I impose that for example on the access ports no more than 5 dhcp packets must arrive in 1 minute, so as for dhcp starvation the problem seems solved the dhcp server should not be saturated by a malicious. But in the case of dhcp spoofing, the hacker becomes a dhcp server; it is true that after the fifth dhcp request the frame will be discarded, but is it also true that in the meantime the hacker has the possibility to satisfy even a single dhcp request from a client? In fact, dhcp discover, offer, request and ack are 4 frames that pass through that port within a few seconds could even satisfy more requests, giving wrong information to someone. Is that so or am I wrong? In fact in the manuals it is not written that dhcp snooping serves to avoid a dhcp spoofing attack but to mitigate it. What do you think?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-22-2021 11:12 AM

@PietroPoliseno27977 

When DHCP snooping is enabled, if a hackers rogue DHCP were connected to an untrusted port, that port will block all DHCP Offer/ACK messages. So will never satisfy a DHCP request.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎05-22-2021 11:12 AM

@PietroPoliseno27977 

When DHCP snooping is enabled, if a hackers rogue DHCP were connected to an untrusted port, that port will block all DHCP Offer/ACK messages. So will never satisfy a DHCP request.

0 Helpful

Go to solution
PietroPoliseno27977
Spotlight
Spotlight
In response to Rob Ingram

‎05-22-2021 11:42 AM

Thanks for your answer; So Port Will block offer and ack request and It Will limit dhcprequest from client within 1 second example 5 packets right?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to PietroPoliseno27977

‎05-22-2021 11:52 AM

@PietroPoliseno27977  Rate limiting is optional.

 

We recommend an untrusted rate limit of not more than 100 packets per second. If you configure rate limiting for trusted interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN on which DHCP snooping is enabled.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843

 

0 Helpful

Go to solution
PietroPoliseno27977
Spotlight
Spotlight
In response to Rob Ingram

‎05-22-2021 11:12 PM

Good perfect! Thank you for your solution

0 Helpful

Go to solution
asaditian
Level 1
Level 1
In response to Rob Ingram

‎09-16-2021 09:32 PM - edited ‎09-16-2021 09:33 PM

Dear Rob, 
For instance, In case I have a /24 dhcp pool, and the untrusted ports are limited to 100 (as per your recommendation), wouldn't it allow an attacker to starve the DHCP in few seconds by sending  90 requests per second. 

on the other hand, is there any estimate of how many requests a normal user would send in a second? 

 

Thanks in advance  

0 Helpful
Customers Also Viewed These Support Documents