Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Features 2019

1Korenix Technology www.korenix.com
IEC62443 Cyber Security Series (1) –
Defend Your DHCP Infrastructure
Against Cyber Attacks
Executive Summary
Cyberthreats have become severe concern for industrial automation. The IEC62443
standard, Security for Industrial Automation and Control Systems, defines the security
requirements from component level, system level, to policy and procedures level, as a
guidance for product vendors, system integrators, and asset owners. This document,
addressing DHCP protocol, its vulnerabilities and how to protect a DHCP infrastructure, is
a reference for whom it may concern network security at the system level of IEC62443.
DHCP In Automation Industry and How It Works
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol that
simplifies network configuration, reduces manual operation, and enhances scalability of a
system. It bases on a client-server architecture, where a server maintains a database,
processes clients’ requests, and assigns network configurations to them. It has been
widely used in industrial automation and control systems. Many industrial components,
such as HMIs, SCADAs, PLCs, I/Os, surveillance cameras have come with this feature by
default. While enjoying its benefits, to understand how it works and the risks is required.
TECHNICAL NOTE
JJ Sun, PSM

The below diagram shows the basic transaction about how an IP address is assigned
between a DHCP server and a client:
This process is often abbreviated as DORA (Discovery, Offer, Request, and Ack). Please
note that DHCP protocol takes advantage of broadcasting, which floods messages to
every device on the LAN. While DISCOVER message is broadcasted to find a DHCP server,
OFFER and REQUEST messages are also broadcasted to make sure all DHCP servers (if
more than one) aware of this transaction. Broadcasting is convenient; however, it opens a
wide interface to cyberattacks.
Cyber Attacks to DHCP Infrastructure
Today DHCP is available on most network devices, such as computers, laptops, switches,
routers, wireless access points and so on. One can simply, by intention or by mistake,
disturb the operation of a DHCP infrastructure. The most common attacks are man-in-
the-middle attack (DHCP spoofing) and deny-of-service attack (DHCP Starvation).

DHCP spoofing is a cyberattack from a rogue DHCP server which scrambles a normal
transaction. This is how it happens:
As shown in the diagram, the client’s DISCOVER message is broadcasted. Both the
legitimate and the rogue server receive it and start to OFFER, however, according to
DHCP protocol, the client only takes the OFFER which returns first. In this case, the client
accepts the wrong IP address from the rogue server. The system is compromised.
DHCP Starvation, a type of denial-of-service attack, happens when a malicious client
exhausts the server’s IP address pool by requesting more addresses than available. The
server cannot assign IP address anymore and the system is down.
There are DHCP starvation applications for download from internet. One can simply install
the application and issue attacks. Below diagram shows how such kind of application
requests IP addresses by fabricated DISCOVER messages.

Defense Against DHCP Attacks
DHCP protocol was not designed with comprehensive security considerations. Attacks to
DHCP can be easily done without complicated networking knowledge or IT skills. To
against DHCP attacks by additional cybersecurity mechanism is essential and critical. From
network security perspective, the most effective way is to deploy protection on the front
line, where DHCP messages inject to the network. This is where DHCP Snooping comes
into play.
DHCP Snooping is a network security feature implemented on switches or routers. As
indicated by the name, it snoops DHCP messages when messages come to a port, checks
if they are from trusted sources, validates the payload, forwards correct messages and
discards incorrect ones. It ensures that network configurations can be done correctly. The
detailed behaviors and benefits are:

 Switch ports are configured into trusted or untrusted.
Trusted ports are the ports toward trusted sources, the legitimate DHCP servers. A
legitimate server can be an administrative workstation, a switch, or a router that
runs DHCP server service. Untrusted ports are the ports toward all the other devices
including legitimate clients, rogue servers, or malicious clients.
DHCP Requests from untrusted ports are forwarded only to the trusted server, not
broadcasted, and only the trusted server can offer network configuration. This
prevents the rogue server from receiving DHCP messages and ensures that all
transactions are handled by the legitimate server as well.
 Validates and drops invalid messages. Messages are invalid for example:
Server messages (OFFER, ACK, NACK…) come from untrusted ports, or client
messages (DISCOVER, REQUEST…) with spurious payload, such as fabricated Mac
addresses. This blocks server messages from untrusted sources and filters attacks
from malicious clients.

 Builds and maintains a DHCP binding table.
The binding table includes information about the MAC address of a client, the
leased IP address, the lease time and so on. An entry in the binding table is created
when an IP address is leased, is updated upon renewal, and is deleted when the
leased IP address is expired or released.
The binding table is used in validating the packets of the subsequence renewal of
lease. Renewal requests with mismatched information to the binding table are
discarded.
Network switches or routers with DHCP Snooping enabled make two big differences to a
DHCP infrastructure. Firstly, the DHCP messages are picked up, validated and filtered,
instead of being broadcasted to everywhere. Secondly, valid messages are only forwarded
to trusted sources and only the configurations come from trusted sources are given to
clients.

Conclusion
DHCP protocol is not secure by nature and its vulnerabilities demand immediate
attention. The cybersecurity feature, DHCP Snooping, is a critical for those industrial
automation and control systems rely on DHCP services.
Addressing IEC62443, Korenix has been continuously implementing cutting edge
cybersecurity technologies, including DHCP Snooping, Dynamic ARP Inspection, IP Source
Guard, TACACS+, multi-level authentication and so on, which provide robust and secure
solution as your core of industrial data communication.
Korenix Technology, a Beijer group company within
the Industrial Data Communication business area, is a
global leading manufacturer providing innovative,
market-oriented, value-focused Industrial Wired and
Wireless Networking Solutions
Web: www.korenix.com
Email: sales@korenix.com
Phone: +886 28911 1000
Address: 14F, No.213, Sec. 3, Beixin Rd.,
Xindian Dist., New Taipei City 23143, Taiwan

Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Features 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Features 2019

Similar to Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Features 2019 (20)

More from Jiunn-Jer Sun

More from Jiunn-Jer Sun (20)

Recently uploaded

Recently uploaded (20)

Defend Your DHCP Infrastructure Against Cyber Attacks - Network Security Features 2019