cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2460
Views
0
Helpful
5
Replies

Dhcp spoofing attack

Hello everyone, I would like a clarification. If on the untrusted ports I configure dhcp snooping and go on, I impose that for example on the access ports no more than 5 dhcp packets must arrive in 1 minute, so as for dhcp starvation the problem seems solved the dhcp server should not be saturated by a malicious. But in the case of dhcp spoofing, the hacker becomes a dhcp server; it is true that after the fifth dhcp request the frame will be discarded, but is it also true that in the meantime the hacker has the possibility to satisfy even a single dhcp request from a client? In fact, dhcp discover, offer, request and ack are 4 frames that pass through that port within a few seconds could even satisfy more requests, giving wrong information to someone. Is that so or am I wrong? In fact in the manuals it is not written that dhcp snooping serves to avoid a dhcp spoofing attack but to mitigate it. What do you think?

1 Accepted Solution

Accepted Solutions

@PietroPoliseno27977 

When DHCP snooping is enabled, if a hackers rogue DHCP were connected to an untrusted port, that port will block all DHCP Offer/ACK messages. So will never satisfy a DHCP request.

View solution in original post

5 Replies 5

@PietroPoliseno27977 

When DHCP snooping is enabled, if a hackers rogue DHCP were connected to an untrusted port, that port will block all DHCP Offer/ACK messages. So will never satisfy a DHCP request.

Thanks for your answer; So Port Will block offer and ack request and It Will limit dhcprequest from client within 1 second example 5 packets right?

@PietroPoliseno27977  Rate limiting is optional.

 

We recommend an untrusted rate limit of not more than 100 packets per second. If you configure rate limiting for trusted interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN on which DHCP snooping is enabled.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_35_se/configuration/guide/scg/swdhcp82.html#wp1070843

 

Good perfect! Thank you for your solution

Dear Rob, 
For instance, In case I have a /24 dhcp pool, and the untrusted ports are limited to 100 (as per your recommendation), wouldn't it allow an attacker to starve the DHCP in few seconds by sending  90 requests per second. 

on the other hand, is there any estimate of how many requests a normal user would send in a second? 

 

Thanks in advance  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: