DHCP attacks and defense

The DHCP lease is divided into the following six processes:
1.Client request IP Address:The client sends a DHCP Discover packet in broadcast mode to find the DHCP server. The broadcast contains the MAC and computer names of the DHCP client.
2.Server Response:When the DHCP server receives the IP address of the request from the client, the server finds whether a valid IP address is provided to the client in its IP address pool. If yes, the DHCP server marks the IP address and adds it to the DHCP Offer message. Then, the DHCP server broadcasts an Offer message: the MAC address of the DHCP Client, valid IP address, subnet mask, default gateway, lease term, and IP address of the DHCP server.
3.Select IP address for the client:After receiving the DHCP Offer packet, the client extracts the IP address and broadcasts the DHCP Resquest message to all DHCP servers, indicating that the client accepts the provided content. The packet contains the Service Identifier (Server IP address) configured by the client ). The server checks the server Id field to confirm that the provided IP address is accepted.
4.The server determines the lease:After receiving the DHCP Resquest, the server broadcasts the dhcp ack message to the client for confirmation. Dhcp ack contains the valid lease period of the address and other configuration messages.
5.Log On again:The DHCP server attempts to allow the DHCP client to continue using the original IP address after a previous logon without sending a DHCP DIscover message. If the IP address cannot be assigned to the original client, the server sends a DHCP Nack denial message. After receiving the message, the client resends the DHCP Discover message to request the new IP address.
6.Update lease:When the client reaches 50%, it starts to prepare for renewal. When the client reaches 85%, it is the second time. If the client fails to obtain the address of the dhcp server at 85%, the client has to find another way out. Send the DHCP discover package and find the DHCP server.
Note: If the DHCP client cannot find the DHCP server, it selects an address from the class B network segment 169.254.0.0 of TCP/IP as its own address, and try to communicate with the DHCP server every 5 minutes.
Next we will consider how to attack the DHCP server and look at the topology below:

We can attack host D by sending a dhcp Discover packet to instantly exhaust the address pool of DHCP server A, establish A rogue DHCP server, and then send a release packet, in this way, host C will find the DHCP server online, and D will tell the DHCP client the false address and gateway. To attack DHCP. The attack is based on the yersinia software in Ubuntu.


Let's talk about how to defend against DHCP attacks: We can enable port listening on the switch and set the trust port and the non-trust port. By default, the switch port is not a trusted port.
Untrusted port: the port connecting to the terminal device. The client can only send DHCP request packets, but discard all other DHCP packets (such as DHCP offer) from the port)
Trusted port: connects to a valid DHCP server or aggregation interface to forward and receive all DHCP packets.
Topology of DHCP defense:

Enable the Switch port listening function: Switch (config) # ipdhcp snooping
Set the VLAN to which the DHCP listener acts: Switch (config) # ipdhcp snooping vlannumber
Configure port trust or non-trust: Switch (config-if) # ipdhcp snooping trust
Insert option 82 in the message: Switch (config) # ip dhcp snoopling infornamation option
Restrict DHCP packet rate. jianhuan DHCP depletion attack: Switch (config-if) # ip dhcp snoopling limit rate (rate)
In this way, DHCP attacks can be prevented.