Defense Against Bogus DHCP Server Attacks

Attack Behavior

No authentication mechanism is available between DHCP servers and clients. Therefore, any DHCP server newly deployed on a network can allocate IP addresses and other network parameters to DHCP clients. A bogus DHCP server connects to an aggregation switch through a Layer 2 network. When clients connected to the switches apply for IP addresses through DHCP, the bogus DHCP server responds before other servers and assigns IP addresses to the clients, leading to IP address conflict and affecting network services.

Security Policy

To defend against the preceding attack, configure the following security policies on a switch:

• DHCP server filtering

  Configure traffic policies to enable the switch to forward reply packets from only valid DHCP servers.

• DHCP snooping

  Configure DHCP snooping and configure valid DHCP server interfaces as trusted interfaces to filter out invalid DHCP servers.

Configuration Method

• Configure DHCP server filtering.

  Valid DHCP servers have specific IP addresses. The reply packets from DHCP servers are UDP packets and use source port 67. Configure policies to filter out bogus DHCP packets.

  Based on the valid interfaces on DHCP servers, configure the following policies:

  1. Configure rules to filter valid and bogus DHCP servers.

     <HUAWEI> system-view
     [HUAWEI] acl name dhcp-valid
     [HUAWEI-acl-adv-dhcp-valid] rule permit udp source-port eq bootps
     [HUAWEI-acl-adv-dhcp-valid] quit
     [HUAWEI] acl name dhcp-invalid
     [HUAWEI-acl-adv-dhcp-invalid] rule deny udp source-port eq bootps
     [HUAWEI-acl-adv-dhcp-invalid] quit

  2. Apply the filtering rule that permits valid interfaces.

     [HUAWEI] interface gigabitethernet 1/0/1
     [HUAWEI-GigabitEthernet1/0/1] traffic-filter inbound acl name dhcp-valid
     [HUAWEI-GigabitEthernet1/0/1] quit

  3. Apply the filtering rule that prohibits invalid interfaces.

     [HUAWEI] traffic-filter inbound acl name dhcp-invalid

• Configure DHCP snooping.

  Configure the interface connected to the valid DHCP server as a trusted interface.

  <HUAWEI> system-view
  [HUAWEI] dhcp enable
  [HUAWEI] dhcp snooping enable
  [HUAWEI] interface gigabitethernet 1/0/1
  [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
  [HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted
  [HUAWEI-GigabitEthernet1/0/1] quit

  Configure DHCP snooping for other user-side interfaces or VLANs.

  [HUAWEI] interface gigabitethernet 2/0/0
  [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable