As a qualified network worker, you must master DHCP snooping knowledge!

DHCP Snooping As the name suggests DHCP Relevant , He is DHCP A security feature of , Used to guarantee DHCP Client from legal DHCP Server acquisition IP Address , And record HDCP client IP Address and MAC Correspondence of address parameters , Prevent the Internet from targeting DHCP attack

​

DHCP Snooping There are two functions ：

1. Trust function ：DHCP Snooping The trust function divides interfaces into trusted interfaces and untrusted interfaces , In this way, the client can be guaranteed to obtain from the legal server IP Address

2. Analysis function ： Turn on DHCP Snooping After function , The equipment can pass the analysis DHCP The process of message interaction , Generate DHCP Snooping Binding table , The bound table entry includes the client's MAC Address 、 Acquired IP Address 、 And DHCP The interface to which the client is connected and the VLAN, The lease information .

DHCP Snooping In which scenarios can it be applied ？

1. prevent DHCP Server Counterfeiters attack

Attack principle ：

because DHCP Server and DHCP Client There is no authentication mechanism between , So when one is added to the network at will DHCP The server , He can pretend to be a real server and assign it to other devices in the network IP Address and other network parameters . If it's time to DHCP Server assigned IP The address is wrong , That will have a great impact on the network .

resolvent ：

As shown in the figure , In order to prevent DHCP Server Counterfeiters attack , The interface on the device can be configured as “Trusted” and “Untrusted” Working mode . Will be associated with legal DHCP The connection to the server is “Trusted” Interface , Other interfaces are set to “Untrusted” Interface , When from “Untrusted” Interface received DHCP The response message will be discarded directly , This will prevent DHCP Server Attacks by counterfeiters .

2.DHCP Message flood control attack

Attack principle ：

An attack device in the network , Send a large number of... To the server DHCP Discover message , Cause the server can't handle it , Finally, the server crashed .

resolvent ：

At the of the enabling device DHCP Snooping When the function , Can simultaneously enable the device to DHCP Send a message to DHCP The function of detecting the rate of message processing unit . thereafter , The device will detect DHCP Message sending rate , And only messages within the specified rate are allowed to be sent to DHCP Message processing unit , Messages exceeding the specified rate will be discarded .

3.DHCP Server Denial of service attack （ Starve to death ）

Attack principle ：

As shown in the figure , hypothesis interface 1 There are a large number of malicious applications from attackers under the interface IP Address , Then it will lead to DHCP Server Medium IP The address is rapidly exhausted and cannot be provided to other legitimate users IP Address allocation service .

resolvent ：

In order to suppress a large number of DHCP The user applied maliciously IP Address , At the of the enabling device DHCP Snooping After function , The maximum allowable access of the configurable device interface DHCP The number of users , When the number of connected users reaches this value , Then no user is allowed to successfully apply to... Through this device or interface IP Address .