Solved: Another Snooping Question

Dean Romanelli · ‎06-04-2013

Hi All,

Asked a question here last night and watched a few videos on snooping and understood what I was hearing, but then I went back to my course material and found this:

"Incoming packets that are received on untrusted ports are dropped if the source MAC address of those packets does not match the DHCP binding table. This means that if a hacker attempts to use randomly generated MAC addresses to initiate a DHCP Starvation attack, all packets will be cheked against the DHCP snooping table, and because there will be no matches for those specific random MAC addresses, all packets will be discarded by the switch, effectively preventing this type of attack from occurring."

So, with that exerpt from my text, I have a question: If my network is in a converged state, and I have DHCP snooping configured on my switch.....then add a new station/host PC to an access port on the switch. However, by the explanation above, the new station's MAC address will not be listed in the binding table, so the switch is going to keep discarding the packets, and my new station will never recieve an address or join the network.

How do I ensure a new station is permitted to join the network / recieves a DHCP address post-convergence, when snooping is enabled?

cadet alain · ‎06-04-2013

Hi,

what you describe here will not happen to a new host that sends a DHCP discover message to get an IP address but will happen on a host that already had a DHCP leased address recorded in the snooping table and that asks for another DHCP address but with another MAC address so this is a DHCP starvation technique.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎06-04-2013

Hi,

what you describe here will not happen to a new host that sends a DHCP discover message to get an IP address but will happen on a host that already had a DHCP leased address recorded in the snooping table and that asks for another DHCP address but with another MAC address so this is a DHCP starvation technique.

Regards

Alain

Don't forget to rate helpful posts.

Dean Romanelli · ‎06-04-2013

Hi again Alain,

Ok, so basically the snooping table can tell which stations have a lease and which do not, and can also tell if additional DHCP Discovers for additional MAC addresses are sourcing from said host that already has the lease?

Am I following correctly?

cadet alain · ‎06-04-2013

Hi Dean,

In fact this is not exactly how it behaves, I had to take a look back at the config guide

here's the interesting part:

The switch drops a DHCP packet when one of these situations occurs:

•A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.

•A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.

•The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.

•A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

This is an excerpt from here:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/15.0_1_se/configuration/guide/swdhcp82.html

Regards

Alain

Don't forget to rate helpful posts.

Dean Romanelli · ‎06-05-2013

Cool, thanks Alain