A Complete Guide to DHCP Snooping, How It Works & Concepts & Database, Dealing with DHCP Starvation Attacks, DHCP Hijacking, Man-in-the-Middle Attacks, and Malicious DHCP Servers & DHCP 82
This article explores common attacks in Layer 2 and Layer 3 networks, with a particular focus on DHCP Starvation attacks, man-in-the-middle attacks, malicious unwanted DHCP servers, and explains how security features like DHCP Snooping can help protect networks from these attacks. We explain how DHCP Snooping works, cover related terms such as trusted, untrusted ports/interfaces, and discuss more topics. Finally, we note the importance and purpose of Binding Database in DHCP Snooping, which is also used by Dynamic ARP Inspection to prevent ARP Poisoning and ARP Spoofing attacks.
Topics covered include:
- DHCP Starvation Attack, Man-in-the-Middle Attack, DHCP Hijacking, and Monitoring Attacks
- Malicious DHCP Servers – Major Security Threat and Source of Network Disruptions
- DHCP Snooping Support on Cisco Catalyst and Nexus Switches – Permissions and Features
- How DHCP Snooping Works – DHCP Snooping Concepts – Valid and Invalid Ports/Interfaces
- Traffic Blocked by DHCP Snooping, DHCP Snooping Violations – Syslog Messages
- DHCP Snooping Binding IP Database – Dynamic ARP Inspection
- DHCP Snooping-Option 82 Data Insertion
- Summary
DHCP Starvation Attack, Man-in-the-Middle Attack, DHCP Hijacking & Reconnaissance Attacks
This article will help you gain an in-depth understanding of how to protect networks using DHCP Snooping and related security features.
The DHCP Starvation attack is one of the most common attacks on the network that targets the DHCP servers of the network. The main goal of this attack is to flood the organization's DHCP server with DHCP REQUEST messages from fake MAC addresses. The DHCP server responds to all requests, without realizing it's a DHCP Starvation attack, and assigns the available IP addresses until its DHCP money runs out.
At this point, the attacker renders the organization's DHCP server unusable and can activate its malicious DHCP server to address network clients instead of the primary server. The DHCP Starvation attack is typically associated with a Man-in-the-Middle attack, as the malicious DHCP server distributes fake IP addresses, including Gateway and DNS IP, so that all client traffic passes through the attacker and is inspected.

By using packet capture tools and protocol analysis, the attacker is able to completely reconstruct any data stream it has recorded and extract files from it. In fact, the process is so simple that it only requires a basic understanding of these types of networking tools.
In other cases, a man-in-the-middle attack can be used as a monitoring attack with the goal of obtaining information about network infrastructure, services, as well as identifying high-importance hosts such as financial servers or databases.
Now it should be clear how a simple attack can become a major security threat to any organization. The aforementioned attacks are examples of how easy it is for hackers to effectively bypass firewalls and other security levels and gain access to valuable information by connecting an unauthorized/unauthorized device to an existing network port.
Malicious DHCP Servers – Major Security Threat and Source of Network Disruptions
Malicious DHCP servers are a common problem in large organizations and are not always directly related to the attack. Malicious DHCP servers usually appear unexpectedly due to users using consumer network devices that connect to the network infrastructure, without knowing that they have connected an unauthorized device with an active malicious DHCP server to the network.
The malicious DHCP server then begins to assign IP addresses to network hosts, causing network connectivity issues and, in many cases, major service disruptions. At best, DHCP clients are served with an invalid IP address, which disconnects them from other parts of the network. But in the worst case, the IP address is assigned to the clients, which was previously used by the network infrastructure devices (e.g., the VLAN interface on the main switch or the firewall interface), leading to serious network disruptions and conflicts.

While many organizations have security policies in place that prohibit third-party or unauthorized devices from being connected to their network, there are still cases where users who may not be aware of or care about the security implications connect these devices to the network infrastructure without consulting the IT department.
Educating users and enforcing security policies can be challenging, which is why it is essential to have security mechanisms in place to help mitigate these incidents, and this is where DHCP Snooping comes into play.
DHCP Snooping, as a security tool, can prevent such problems from occurring. This mechanism allows switches to allow only authoritative DHCP servers to assign IP addresses, preventing unauthorized devices from connecting with malicious DHCP servers. This approach can dramatically increase network security and reduce attacks such as DHCP Starvation and Man-in-the-Middle.
DHCP Snooping support for Cisco Catalyst and Nexus switches. Permissions and Features
DHCP Snooping is available on both Cisco Catalyst and Cisco Nexus switches. Both platforms are classified as enterprise-grade switches and have full support for all DHCP Snooping capabilities.
DHCP Snooping is considered a standard security feature and does not require additional authorization for older Catalyst IOS operating systems, newer Catalyst IOS XE operating systems, and Nexus NS-OS operating systems, so this feature is available and easily configurable on all switches.
Examples of Cisco Catalyst switches that support DHCP Snooping include Cisco Catalyst 2960S, 2960-X, 3560, 3750, 3750-X, 3850, 4500, 6500, 9300, 9400, and 9500.
Examples of Cisco Nexus switches that support DHCP Snooping include the Nexus 2000, 3000, 5000, 7000, and 9000.
DHCP Snooping can be enabled globally or separately for each VLAN. This means that you can enable it for all VLANs (globally) or only for specific VLANs (including VLAN ranges, such as 1-20 VLANs and 45-50 VLANs).
How DHCP Snooping Works – DHCP Snooping Concepts – Valid and Invalid Ports/Interfaces
DHCP Snooping is a Layer 2 security feature that prevents unauthorized (malicious) DHCP servers from assigning IP addresses to DHCP clients. In fact, Cisco was the first vendor to implement DHCP Snooping as a security feature in their network switches, and other vendors have followed suit, introducing similar features in their products.
It is important to note that DHCP Snooping is an access layer protection service and is not located at the core of the network.
The way DHCP Snooping works is very simple. DHCP Snooping breaks down all switch ports into two simple categories:
- Trusted Ports
- Untrusted Ports
A trusted port, also referred to as a trusted source or authoritative interface, is the port whose DHCP server messages are trusted because it is under the administrative control of the organization. For example, the port to which your organization's DHCP server is connected is considered a valid port. This is also shown in the chart below:

In this way, DHCP Snooping only allows authoritative servers to assign IP addresses to clients, preventing unauthorized servers from distributing IP addresses. An untrusted port, also known as an untrusted source or untrusted interface, is a port where the messages from the DHCP server are not trusted. An example of an invalid port is the one to which hosts or computers are connected, where no DHCP OFFER, DHCP ACK, or DHCP NAK messages should be displayed, as these messages are only sent by DHCP servers.
Traffic Blocked by DHCP Snooping, DHCP Snooping Violations – Syslog Messages
When DHCP Snooping is enabled, the switch begins to block certain types of DHCP traffic to protect the network from malicious DHCP servers. Below is a list of the types of DHCP traffic that DHCP Snooping blocks:
- Block DHCP messages such as DHCPACK, DHCPNAK, and DHCPOFFER that originate from an invalid DHCP server (invalid port connection).
- Block DHCP messages requesting release or rejection if they don't originate from the port where the original DHCP conversation took place. This helps prevent the attackers from attempting to terminate or reject the DHCP offer instead of the actual client.
- When DHCP Relay Agent sends a DHCP packet that contains a Relay-Agent IP address that is not equal to 0.0.0.0, or a packet that contains Option 82 information, to an invalid port. For a more in-depth analysis, see the DHCP Option 82 article.
- Block DHCP messages where the source MAC address and client MAC address are not the same (see DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL message for more details).
Syslog Messages When DHCP Snooping Violates
When DHCP Snooping detects a breach, the DHCP packet that caused the event is blocked and a message is recorded in the log switch. This message can include one of the following:
- %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT:
- DHCP Snooping has detected DHCP server messages from an invalid port. This is a serious breach and typically indicates the presence of a malicious DHCP server operating on an invalid port.
- %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL:
- DHCP Snooping has detected that the source MAC address in the Ethernet frame and the client MAC address in the DHCP message are not the same.
These mechanisms help switches prevent DHCP Starvation attacks, malicious DHCP servers, and man-in-the-middle attacks, and protect the network from security threats.

Binding DHCP Snooping Database – Dynamic ARP Overview
Once DHCP Snooping is enabled, the switch begins to build a dynamic database that contains entries for any invalid hosts with a rented IP address, as long as the host is associated with a VLAN where DHCP Snooping is enabled. No entries are generated for hosts connected to authoritative interfaces.
Each entry in the Binding database contains the following information:
- Invalid host MAC address
- Invalid Host's Rented IP Address
- Rental Duration
- Binding Type
- The VLAN number and interface to which the invalid host is connected
When invalid hosts receive their IP addresses from the authoritative DHCP server, the switch automatically creates new entries, updates them, and cleans up the DHCP Snooping Binding database.
Examples of processes:
- When the lease period of an IP address expires or the switch receives a DHCPRELEASE message from an invalid host, the corresponding entry will be removed from the database.
- On the other hand, when the switch receives a DHCPACK message from the authoritative DHCP server confirming that the IP address has been assigned to an invalid host, a new entry will be generated in the database.
Binding Database Display Commands:
The show ip dhcp snooping binding
command displays all entries in the DHCP snooping binding database. The output of this command may look like this:
Cat3560-Firewall.cx# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------ ------------ ---------- ------------- ---- -----------------
D0:76:58:0C:BB:80 192.168.4.50 85228 dhcp-snooping 4 GigabitEthernet0/5
Total number of bindings: 1
Binding Database and Layer 2/3 Security
The DHCP Snooping Binding database is also used by other Layer 2 and Layer 3 security features, such as Dynamic ARP Inspection, which helps protect the network from ARP Poisoning and ARP Spoofing attacks.
- Dynamic ARP Inspection prevents ARP Poisoning attacks by checking the match between IP and MAC addresses.
- In these attacks, the attackers try to intercept or alter network traffic by spoofing ARP addresses.
Configuring DHCP Snooping on Cisco Catalyst and Cisco Nexus Switches
Configuring DHCP Snooping on Cisco Catalyst and Cisco Nexus switch platforms will be explored in detail in future technical articles.
Exploring ARP Poisoning and ARP Spoofing Attacks
In future security articles, ARP Poisoning and ARP Spoofing attacks and how to deal with them through features like Dynamic ARP Inspection will be explained in detail.
DHCP Snooping Option 82 – Relay Agent Information
DHCP Option 82, also known as the Relay Agent Information Option, was first designed by RFC 3046 to allow the DHCP relay agent (such as a switch or router) to identify itself as well as provide information from the DHCP client that sent the DHCP messages. This option is especially used in implementations of large metropolitan Ethernet networks that require centralized management of IP addresses for a large number of users.
How does DHCP Option 82 work?
When DHCP Snooping is enabled on a Cisco Catalyst or Cisco Nexus switch, the switch automatically enters the Option 82 field into the client's DHCP messages. This field contains information that helps the DHCP server to determine which Relay Agent (such as a switch or router) the DHCP request came from and which physical port on the network it came from.
Option 82 Details
- Relay Agent Information:
This field contains information about Relay Agent, such as:
- IP address of the input port (from which the DHCP packet enters the switch)
- MAC Address Input Port
- Additional information about the network or DHCP configurations
- Application in large networks:
In large networks such as metropolitan access networks, this field is used to more accurately identify DHCP sources and help monitor the allocation of IP addresses. This allows network administrators to be able to accurately track which device and physical port a DHCP request is coming from.
How do switches add DHCP Option 82?
When DHCP Snooping is enabled, the switch automatically adds Option 82 information to the DHCP messages sent by the client. This information includes details that help the DHCP server identify the source of the DHCP request and accurately perform the IP address allocation process in accordance with the network settings.
Benefits of using DHCP Option 82:
- Added security:
Adding Option 82 to DHCP messages can be helpful in detecting and preventing DHCP spoofing attacks, as it can detect if the message is coming from a valid or invalid port on the network. - Better Management:
This feature helps network administrators get accurate information about the status of network ports and devices that request IP. - Accuracy in the allocation of IP addresses:
Using the information added in Option 82, the DHCP server can adjust the allocation of IP addresses based on the physical location of the devices on the network.
DHCP Option 82 is not often widely used in organizations, but it can provide an extra layer of security if the DHCP server supports it. For example, the DHCP server in Windows Server 2012 or 2016 supports Option 82, allowing network administrators to create DHCP Policies that control the allocation of IP addresses to specific switches on the network.
Configuring DHCP Option 82 Policies
Network administrators can use Option 82 to create DHCP policies that limit the allocation of IP addresses to specific switches on the network. This feature is especially useful on large networks that have multiple switches or Relay Agents. This capability helps the DHCP server to restrict the assignment of IP addresses to specific devices and ports.
Conclusion:
Although DHCP Option 82 is not typically used in organizations, when supported by a DHCP server, it can provide additional security and more granular control over the allocation of IP addresses to the network.
Man-in-the-middle attacks and network disruptions caused by fraudulent DHCP servers are serious security threats that organizations face on a daily basis. In this article, we explained how Man-in-the-Middle attacks allow attackers to gain access to network traffic, which can lead to the disclosure of sensitive data being transmitted between servers and clients. We also explained what DHCP Snooping is, how it works, and how it can effectively protect the network from these attacks.
We looked at the type of traffic being blocked by DHCP Snooping, security breach alerts, as well as the purpose and functionality of the DHCP Snooping Binding Database. Finally, we mentioned DHCP Snooping Option 82 and explained how this feature can help strengthen the security and management of IP address allocation on the network...