At times, a malicious user may attempt to install a rogue DHCP server on the network in the hope that potential client devices become victims. We need to remember a few things about the DHCP server: it provides the IP address, subnet mask, default gateway, and DNS server configurations to clients. The default gateway is used to forward traffic destined for a network outside of the LAN, and the DNS server resolves hostnames and IP address. What if the clients are using another default gateway and/or a compromised DNS server with false DNS entries? The following table shows the switches and the classification of ports as trusted/untrusted:

When the DHCP snooping features are configured on a Cisco switch, it immediately converts all ports to become untrusted ports. An untrusted port prevents any DHCP Offer and DHCP ACK messages from entering the switch port. However, the port that the DHCP server is connected to must be manually configured as a trusted port:

The following describes how the DHCP snooping feature actually functions:

1. The DHCP snooping is enabled with the switch, the untrusted ports will forward only DHCPDISCOVER and DHCPREQUEST packets to the DHCP Server. The trusted port would only forward DHCP Offer and DHCP Ack packets back to the DHCP client.

2. When the attacker sends multiple fake DHCPDISCOVER messages to the server, the CPU utilization of the DHCP server goes up, and at some point the server will be out of IP addresses for that particular network in its pool. To avoid this, the DHCP snooping feature rate limits the DHCP traffic from trusted and untrusted sources so that only one DHCPDISCOVER message can be sent by the client.
3. If any untrusted port exceeds the number of DHCPREQUEST messages, the port goes into an err-disabled state.
4. When DHCP snooping is enabled and configured, the switch maintains a DHCP snooping database that is used to keep track of untrusted sources, their leased IP address, and all the other TCP/IP settings.
5. DHCP snooping can also be enabled for a particular VLAN of the switch interface. By default, it is disabled on all the VLAN interfaces.

A DoS attack is a process by which an attacker tries to create a disturbance in the network by triggering unwanted traffic, and this disables the network. The objective of this attack is to not allow network services to be available to legitimate users.

DoS attacks look legitimate, but the size of the traffic might increase to a level that cannot be managed by the victim, for example:

• Ping of Death (PoD): Sending continuous ICMP messages that cause the victim to crash or be unable to respond to legitimate requests
• TCP SYN flood: Simply creating a half-open TCP session on the victim server, thereby halting the services offered by the victim