This document discusses how to configure DHCP snooping on a network switch to prevent DHCP spoofing attacks. It provides an overview of DHCP snooping functionality, describes trusted and untrusted sources, and outlines the impacts of unauthorized DHCP servers. Configuration steps are presented to enable DHCP snooping globally, on specific VLANs, and to configure trusted ports connected to the legitimate DHCP server. Verification commands are also included to view the DHCP snooping binding table.
Handwritten Text Recognition for manuscripts and early printed texts
How to prevent DHCP spoofing in network
1. Topic: How to prevent DHCP Spoofing In Network
ROEURM Channa (Mr.)
channa.roeurm@gmail.com
28-‐‑October 2015
“ Sharing Is The Best Of Communication & SMARTER TEAM “
2. Presenta(on
Objec(ve:
1/.
DHCP
Server
in
Network
2/.
Overview
of
DHCP
Snooping
3/.
Trusted
and
Untrusted
Sources
4/.
DHCP
ACacker
Impact
to
Network
6/.
DHCP
Snooping
Feature
7/.
DHCP
Snooping
ConfiguraJon
8/.
QuesJon
and
Answer
5. Trusted
and
Untrusted
Sources
Trusted
Host:
devices
under
your
administraJve
control
are
trusted
sources
include
the
switches,
routers,
and
servers
in
your
network.
Untrusted
Host:
A
DHCP
server
that
is
on
your
network
without
your
knowledge
on
an
untrusted
port
is
called
a
spurious
load
DHCP
server
Spurious
DHCP
Server
!
Lolz
What
do
they
look
like
?
6. Spurious
DHCP
Server
Untrusted
DHCP
Server
Can
Be:
1-‐Wireless
Router
Reset
to
Default
2-‐Extended
USB
Wireless
Router
or
TVBox
3-‐Desktop
systems
&
laptop
systems
that
are
loaded
with
DHCP
server
-‐
Staffs
or
Students
TesJng
Lab
DHCP
Server
-‐
PC
which
enable
or
load
DHCP
Server
services
4-‐FAKE/Untrusted
Hosts
-‐
DHCP
ACacker
Host
-‐
Connect
DHCP
Server
to
Network
(
By
Accident
)
7. Impact
to
Network
Disadvantages
and
Impact
to
Network:
1/.
Network
Unstable
(
Hotel/School
)
-‐
Which
port
…..?
-‐
Which
Floor…..
?
-‐
Which
locaJon…..
?
2/.
Difficult
for
troubleshooJng
(
Service
Provider-‐ISP/Mobile
Operator)
-‐
PPPoE
client
get
wrong
IP
address
-‐
Mobile
get
wrong
address
for
communicate
-‐
Need
deeply
invesJgaJon.
-‐
Network
Engineer
is
full
of
STRESS
8. How
to
Prevent
Untrusted
DHCP
Server
?
Police
?
Hardware
Firewall
?
“
The
Network
Engineer
has
to
know
and
fix
tomorrow
problem
“
Otherwise;
IT
man
will
be
“
You
are
shit
!
“
9. DHCP
Snooping
Feature
Enable
DHCP
Snooping
to:
• Block
DHCP
Offer
on
Untrusted
port
• Filters
out
invalid
messages
• Rate-‐limits
traffic
trusted
&
untrusted
• Maintains
DHCP
snooping
binding
database
• By
default,
it
is
inacJve
on
all
VLANs.
10. No(fica(on
of
DHCP
Snooping
Ø DHCP
snooping
allow
the
configuraJon
of
ports
as
trusted
or
untrusted.
Ø Untrusted
ports
cannot
process
DHCP
replies.
Ø Configure
DHCP
Snooping
on
uplinks
port
to
DHCP
Server.
Ø Don't
configure
DHCP
snooping
on
client
ports