In the early years of the internet, it was common to simply use a spreadsheet to manually assign and track IP addresses. We’d be given a generous pool of IP addresses that were not so widely distributed, and most network devices were desktops and not mobile. But this soon got out of hand as networks grew and mobile devices became the norm. Many problems started cropping—address conflicts, critical servers falling offline, and soon we realized that we needed some way to organize our IP addresses. There was also a need to automate networks to reduce personal intervention in network installation and changes. DHCP helped with all of these issues.
What is DHCP?
DHCP was developed by the Dynamic Host Configuration working group of the Internet Engineering Task Force (IETF) to come up with a way of building out an automated process for handling the proliferation and conflicts of IP addresses. The purpose was to provide a standardized method of automatically assigning IP addresses to hosts (network devices) in a clean and concise manner. The goal was to avoid wasting IP addresses, double assigning the same addresses, and freeing up unused addresses. Here is a link to the RFC for DHCP RFC 1541 – Dynamic Host Configuration Protocol.
Before DHCP addresses were assigned manually. And this led to many problems. Among them, problems were caused by multiple admins having access to the same pool of addresses, and assigning those to different hosts at the same time. Or missing address space leaving holes in a pool of unused address pools. It was extremely confusing and led to many “mysterious” problems cropping up on the network.
Troubleshooting was also very difficult, and locating address problems was cumbersome and time-consuming. It’s important to keep in mind that at the beginning of networking there were more than enough IPV4 addresses available and much fewer network-connected devices. As a result, network address assignment was not given much attention, and addressing was done in a haphazard manner. So, the problem grew as networks grew.
How does it work?
DHCP works via the relationship between a DHCP server and a DHCP client. Normally, you configure a specific device on your network to act as a server. In smaller networks many times this can be the “default gateway” or the primary upstream router of the device being installed. On larger networks and business networks, you’ll assign a dedicated server to perform this function. You can have multiple routers as well as switches with routing capability on your network, as you want to maintain maximum uptime. If for some reason one of your routers is taken down or goes down, you don’t want to lose access to your DHCP server for the rest of the network. So having a dedicated server solves this problem.
When a device is set up, you specify an IP address, subnet mask, and DNS for it to use. Or you will simply set it up for DHCP. That will immediately connect to the network and send out a “DHCPDISCOVER Request ” packet. This gets routed to your DHCP server. When the server receives the packet it sends back a “DHCPOFFER” packet. Once the new device receives this information, it adds it to its configuration and sends back to the server a “DHCPREQUEST” packet confirming the receipt. The server sends the new device an “ACK” packet acknowledging it. The setup is now complete.
Keep in mind that this address is now assigned to a device, but it’s transient. It can change when the device is rebooted. The original address gets returned to the DHCP server and added back to the server’s pool of available addresses, eventually reassigned to another device. This can be a problem if you have certain devices that need a consistent address all of the time, such as print or application servers. In this case, they need a permanent, or static, IP address that you can assign manually and is outside of the available addresses in the IP address pool of the DHCP server.
The lease time can be controlled by specifying how long an IP address can last at a specific host. In addition, a host can request a renewal of the lease while still connected to maintain a specific address.
Another feature is the DHCP relay. This is the ability to centralize your DHCP server in one location. Allowing the upstream switch or router to relay all DHCP messages to one location avoids the hassle and cost of having multiple DHCP servers throughout your network. This feature is designed for larger more complex networks.
Why is it so important?
DHCP accomplishes several things that are very important to any network manager. The most important issue stated above is resolving conflicting IP Addresses. This is a critical issue because this can create outages in your network. Even small networks can get out of hand quickly. For instance: Let’s say you are a network manager and you are installing a new application server on your system. You assign it a network address from your manual spreadsheet and you bring the server up and everything is fine. It is a critical server, and it’s running your company’s primary business software on it. But you didn’t document the address correctly. Simple human error happens all the time. A few days later, one of your technicians installs a new workstation and uses the same address. This causes a conflict, and now your server is going down every time the new workstation is rebooted. This can cause major outages and create all kinds of havoc in your company, affecting company business.
The same issues can happen with an incorrect subnet mask. Or an incorrect default gateway in the configuration. Or even an incorrect DNS entry. All of these are manual processes that can now be handled by a DHCP server, and in turn, reduce the number of errors on your network. It’s the network manager’s job to always be looking for ways to make things more error-free and more efficient. It saves time and money and adds greater security to your network.
These types of problems can happen even in small networks and build quickly. In large networks with multiple segments and multiple subnets, the problems can compound exponentially and turn into a disaster.
How does DHCP affect security?
Security is certainly an issue with DHCP functionality— since the DHCP protocol does not allow for it. There are numerous attack vectors that can utilize DHCP, and these must be addressed. This means that the network manager is going to have to use outside or third-party security techniques to ensure there is a secure assignment, retirement, and control of IP Addresses in order to mitigate security threats.
One of the most common DHCP attacks is a type of man-in-the-middle attack through a rogue DHCP server. This is a type of attack where the hacker inserts themselves into the DHCP assignment process. Usually, this is done by spoofing the IP Address of the DHCP server. Spoofing is the technique of imitating the DHCP server and acting as the DHCP and DNS resource for the workstations and other network components. Then the bad server can hand out incorrect or compromised addresses allowing the attacker to take over different network devices.
The best way to deal with this is to ensure an attacker cannot get inside your network in the first place. This means good AAA systems. AAA means authentication, authorization, and accounting. So, network security basics of good password management, proper authentication techniques, and tools. Strong authorization policies and procedures, and systems in place to log and record all transactions on your network mean good network management and oversight.
DHCP starvation attack
An advanced form of spoofing attack is the DHCP Starvation attack. This is when the attacker initiates a large number of DHCP requests to the legitimate server. Overwhelming the scope of the server causes it to run out of IP addresses. Once this happens, the attacker installs his spoofed DHCP server into the network causing the legitimate devices to start receiving incorrect IP addresses from the intruder’s DHCP server.
A good way to defend against DHCP starvation attacks is to enable port security on the network where the DHCP server is located. This will limit other rogue DHCP servers from being installed. Also using relay to control the location limits rogue servers coming from another network segment. Now requests can only be serviced from a trusted port.
Another level of security is to set a custom alert on your network management system. This tells your system when there are suspicious packets such as “DHCPOFFER” packets coming from another segment other than the known legitimate DHCP server.