Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) is the defacto system for automatically assigning IP addresses to hosts. When a client wants to request an IP, it broadcasts a discovery packet to UDP port 67.
When a DHCP server responds to the DHCP discovery packet, it will sent the client a DHCP offer message to the client’s MAC Address containing the IP offer to the client, subnet masks, lease duration, and the IP address of the DHCP server.
Server responses are directed to the client on UDP port 68. The client will now respond with a DHCP request message requesting the offered address. Last, the server will send a DHCP Ack message back to the client. This packet will include the lease duration, and any requested information. The process is now complete. The DHCP server will be configured with a pool for each different segment of the network. A pool is a range of IP addresses to assign to clients.
A Dynamic Host Configuration Protocol (DHCP) server will also assign each segment its own default gateway, DNS servers, and possibly other options. A DHCP server need not be directly connected to a segment. Routers can be configured with a DHCP relay feature, whereby their requests will be forwarded over to a centralized DHCP server for processing. This is frequently used in a Windows domain. An unauthorized DHCP server can cause havoc on a network. Often, they result from users plugging wireless routers into the network backwards.
They then start handing out addresses on the network, providing a false path to the network, and ultimately, orphaning clients. DHCP is, in essence, a foot race. Generally, whichever server answers first, wins. So, an Admin can never quite predict which clients will be affected. A malicious user can also introduce a rogue DHCP on a network to perform man-in-the-middle attacks. This can be mitigated via a couple of methods.
Many switches support a feature known as DHCP snooping. Depending on manufacturer, only designated ports are allowed to act as a DHCP server. It generally builds a table of users’ MAC and IP addresses for users who request on specific ports. Another method is to filter user ports from being able to send packets to destination UDP port 68. It’s not the most elegant method, but it is effective. DHCP starvation attacks are also possible.
DHCP pools have a finite amount of addresses available. If a single client connects, requests, accepts an IP, then changes MAC addresses and repeats, it will eventually exhaust all of the avaiable addresses. Any new clients that attempt to connect will be denied an IP, and thus fail to join the network. To mitigate this, the concept of port security is employed. This allows you to set a finite amount of MAC addresses that appear on a port.
This number is usually set somewhere around 10, which is more than enough for common configurations. Dynamic Host Configuration Protocol (DHCP) is a protocol you will encounter daily. Now, you can better understand and protect your DHCP configurations.
Latest posts by Hamza Arif (see all)
- Wide area networks (WAN) & Metropolitan area networks (MAN) - August 18, 2018
- Understanding the Internet, intranets, and extranets - August 17, 2018
- Exploring network collisions, CSMA/CD, and CSMA/CA - August 16, 2018