Page Content

Tutorials

Load more

What Is DHCP Starvation Attack And DHCP Spoofing Attack

CCNA
Jetipalli Lavaya
Author: Jetipalli Lavaya
7 min.read

What is a DHCP Starvation Attack?

DHCP Starvation Attack
DHCP Starvation Attack

One kind of hostile cyberattack that mainly targets a network’s Dynamic Host Configuration Protocol (DHCP) server is called a DHCP Starvation Attack. The server’s pool of accessible IP addresses is a vital network resource that is intended to be exhausted by this clever Denial of Service (DoS) attacks.

DHCP’s primary function is to automatically assign IP addresses to computers connected to a network. Discover, Offer, Request, and Acknowledgement are the four packet types that make up the DHCP process. This mechanism is exploited by the hunger attack.

Mechanism of a DHCP Starvation Attack

Rapidly leasing every IP address that is accessible within the DHCP server’s set scope is the aim of the assault. The following crucial actions are taken as the attack progresses:

  • Forging DHCP Discover Packets: The attacker uses a tool (such as Yersinia or Gobbler) to rapidly generate and send a massive number of DHCP Discover messages (DHCPDISCOVER).
  • Spoofing MAC Addresses: Crucially, each of these bogus Discover messages contains a unique, forged/spoofed MAC address in the Client Hardware Address (chaddr) field of the DHCP header. The attacker changes the MAC address and the transaction ID with each request to ensure a new IP address is offered.
  • Server Allocation: The legitimate DHCP server attempts to respond to all these bogus messages. Because the server perceives each request as coming from a unique device, it responds with a DHCPOFFER, temporarily reserving an available IP address from its pool for that nonexistent client.
  • Pool Exhaustion (Starvation): This procedure keeps going until the server’s IP address pool is exhausted. For instance, the attacker sends N packets, where N is a significantly greater amount, if a server’s pool contains 254 addresses.

The attacker can either do the full DHCP handshake (DISCOVER/OFFER/REQUEST/ACKNOWLEDGE) for every counterfeit MAC address, which reserves the IPs for the duration of the lease, or they can repeatedly spam the DHCP DISCOVER packets, which temporarily reserves the IPs.

You can also read What is an Amplification Attack, How It Works and Prevention

Real-World Impacts

When a DHCP starvation attack is successful, two main things happen:

Denial of Service (DoS): Any new, authentic client attempting to connect to the network sends a DHCP Discover request, but is not assigned an IP address after the address pool is empty. For certain clients, this causes a denial of service (DoS), which stops them from connecting to the network or exchanging messages.

Facilitation of Man-in-the-Middle (MITM) Attacks: To deactivate the authentic DHCP server, DHCP starvation is frequently carried out before a DHCP spoofing attack. The attacker can create a rogue DHCP server once the real server has been starved. As the default gateway router and DNS server, this rogue server starts distributing IP addresses and harmful configuration settings. This makes a Man-in-the-Middle (MITM) attack possible by forcing the clients’ network traffic to pass through the attacker’s computer.

Prevention and Mitigation

Preventing DHCP Starvation attacks heavily relies on network switch security features:

DHCP Snooping (Most Effective)

This switch feature classifies ports as trusted (for the legitimate DHCP server) or untrusted (for end-user devices). It prevents DHCP offers/acknowledgements from untrusted ports. It also validates packets by checking if the source MAC address in the Ethernet frame header matches the MAC address in the DHCP header’s chaddr field; a mismatch causes the spoofed message to be discarded.

Port security

This limits the number of MAC addresses that can be learned on a single access port (e.g., 1–3). Since the attack requires thousands of unique forged MAC addresses from a single physical port, limiting the MAC count will block the attack after the limit is reached.

DHCP Message Rate Limiting

This feature, often part of DHCP Snooping, limits the number of incoming DHCP messages (like DHCPDISCOVER) processed per second per port. If the rate is exceeded, the switch transitions the port to an err-disabled state.

IP Source Guard

This uses the binding table created by DHCP snooping to ensure only the assigned IP/MAC pair can use a specific port.

DHCP Server Hardening

Administrators can use address reservation/static bindings for critical devices, monitor and alert on low pool thresholds, and use multiple DHCP servers for redundancy.

DHCP Spoofing

DHCP Spoofing
DHCP Spoofing

A serious network security threat known as “DHCP Spoofing” occurs when a malevolent device or attacker poses as a genuine Dynamic Host Configuration Protocol (DHCP) server on a local network. Another name for this assault is “running a rogue DHCP server.”

Unless particular network protections are put in place, a rogue server on the same Layer 2 network can readily reply to client requests because DHCP is, by nature, unauthenticated.

You can also read What is a DNS Spoofing Attack or DNS Cache Poisoning

How DHCP Spoofing Works

The attacker wants to use malicious network configuration settings to swiftly react to client requests. The typical DHCP communication procedure, often known as DORA (Discover, Offer, Request, ACK), is the foundation of the attack:

  • Rogue DHCP Server Setup: An unauthorized (rogue) DHCP server is set up by the attacker on the same network as the authentic server. It is possible to employ tools like dhcpd or dedicated spoofing software.
  • Victim Device Request: The attacker’s server can now send and reply to a DHCP discover message since they have configured a rogue DHCP server. On their own device (computer, smartphone, tablet, etc.), the victim will receive this message. The device will then connect to the local network and broadcast the discovery message, which requests an IP address. The target device will think that the DHCP server is making a valid request.
  • Malicious Response: The third phase focuses on the attacker’s plan to send the victim to malicious websites or ensure traffic passes via their device in order to enable Man-in-the-Middle (MITM) assaults. This occurs when the victim’s device receives a fraudulent DHCP offer from the rogue DHCP server described in step one. The offer includes an IP address and possibly other important network configurations, such as DNS and gateway.
  • Configuration Acceptance: The rogue server delivers an ACK with configuration parameters once the client sends a REQUEST after accepting the quicker offer.
  • Traffic Interception: Malicious network configuration information is contained in the rogue server’s response. In addition to setting the attacker’s IP address as the default gateway and DNS server, this information usually includes the client’s IP address.
  • Attack Execution: The attacker can intercept, monitor, change, or block network traffic by having the victim’s device configure itself using the attacker’s supplied settings and start sending its traffic through the rogue gateway.

Goals and Impacts of DHCP Spoofing

Man-in-the-Middle (MITM) and Denial of Service (DoS) assaults are the two main objectives of DHCP spoofing attacks.

Man-in-the-Middle (MITM) Attacks

The attacker can intercept all network traffic meant for the external network by posing as a rogue DHCP server and configuring itself as the client’s default gateway. The attacker can:

  • Track, record, or alter communication.
  • Use phoney DNS servers to carry out DNS hijacking, which reroutes consumers to malicious or phishing websites. These fraudulent requests are then assigned IP addresses by the authentic DHCP server.
  • A DoS for new clients is essentially caused when the pool is exhausted because the server is unable to provide IP addresses to valid devices attempting to connect to the network.
  • Furthermore, a rogue DHCP server launched on the attacker’s device has no competition once the legal server’s resources are depleted, which may result in a DHCP spoofing attack later on.

Mitigation Techniques

Network administrators frequently use security features on managed network switches, depending on layered controls, to stop DHCP spoofing:

  • DHCP Snooping: An essential Layer 2 security element is DHCP Snooping, which filters out unauthorized DHCP server messages and drops DHCP messages from untrusted ports (such as user ports). Access ports are marked as untrusted, while network uplinks that are linked to authentic DHCP servers are set up as trusted. A database (binding table) of legitimate IP-to-MAC address bindings is also created by DHCP snooping.
  • Port Security: Port security restricts how many MAC addresses can be discovered on a particular switch port. When it comes to preventing DHCP hunger attacks that use a large number of faked MAC addresses, this functionality is quite helpful.
  • Network Segmentation (VLANs): By separating DHCP services into distinct Virtual Local Area Networks, network segmentation reduces the impact of possible attacks and makes it more difficult for attackers to take down the entire network.
  • Static IP Assignment: Giving critical infrastructure devices static IP addresses removes their dependency on DHCP and makes them impervious to spoofing efforts, but it is not scalable for big networks.
  • Other Layered Controls: Additional precautions include enforcing strict access control to network infrastructure and putting in place Dynamic ARP Inspection (DAI) and IP Source Guard, which stop ARP and IP spoofing, respectively, using the DHCP snooping binding table.
Previous article
What Is Mitigation In Network Security? Techniques And Risks
Next article
Principle Of Least Privilege Vs Zero Trust Key Difference
Jetipalli Lavaya
Jetipalli Lavaya

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index