DHCP Starvation & Spoofing Attacks - What is it and how to prevent it?

What is DHCP?

DHCP stands for Dynamic Host Configuration Protocol . It's a network management protocol used to automatically assign IP addresses and other network configuration parameters to devices connected to a network.

How DHCP Works?

DHCP Client: When a device (like a computer, smartphone, or printer) connects to a network, it acts as a DHCP client.
DHCP Discover: The client broadcasts a DHCP Discover message to find a DHCP server.
DHCP Offer: The DHCP server responds with a DHCP Offer message, proposing an IP address and other configuration details.
DHCP Request: The client selects an offer and sends a DHCP Request to confirm its choice.
DHCP Acknowledgement: The DHCP server sends a DHCP Acknowledgement, finalizing the IP address assignment and other configurations.

Demo of IP Assignment for a new Virtual Machine in VirtualBox using DHCP server

Upon creation of the VM there is no ip assignment for the machine. The image is given below

image showing vm without ip — Image showing a VM without an IP address

Wireshark capture of DHCP - Discover,Offer,Request and Acknowledgement Packets

DHCP packet capture using Wireshark — DHCP Packet Capture using Wireshark

DHCP Discover packet capture using Wireshark — DHCP discover Packet Capture using Wireshark

DHCP offer packet capture using Wireshark — DHCP offer Packet Capture using Wireshark

DHCP request packet capture using Wireshark — DHCP request Packet Capture using Wireshark

DHCP Acknowledgement packet capture using Wireshark — DHCP Acknowledgement Packet Capture using Wireshark

Assignment of IP Address to the VM after DHCP Acknowledgement

DHCP ip assignment — Ip Assignment to VM using DHCP Server

What is DHCP Starving Attack

DHCP starvation is a type of cyberattack that targets DHCP (Dynamic Host Configuration Protocol) servers. In this attack, a malicious actor floods the DHCP server with bogus DISCOVER packets, depleting the pool of available IP addresses. This prevents legitimate devices from obtaining IP addresses, effectively denying them network access.

How it Works:

Spoofed Requests: The attacker sends a large number of fake DHCP DISCOVER packets to the DHCP server.
IP Address Exhaustion: The DHCP server assigns IP addresses from its pool to each of these bogus requests, quickly exhausting the available addresses.
Denial of Service: Legitimate devices cannot obtain IP addresses, resulting in a denial of service (DoS) attack.

DHCP Starvation Attack image — DHCP Starvation Attack Image

Mitigation Techniques

IP Address Pool Size: Increase the DHCP server's IP address pool to accommodate a larger number of requests.
DHCP Snooping: Implement DHCP snooping to verify the authenticity of DHCP messages.
Rate Limiting: Limit the number of DHCP requests per client or per MAC address.
Access Control Lists (ACLs): Restrict DHCP traffic to authorized devices and networks.
Intrusion Detection Systems (IDS): Monitor network traffic for suspicious DHCP activity.
Regular Updates: Keep DHCP server software and firmware up-to-date with the latest security patches.

What is DHCP Spoofing

DHCP spoofing is a type of cyberattack where an attacker intercepts DHCP requests from network clients and responds with fraudulent DHCP offers. Essentially, the attacker pretends to be the legitimate DHCP server.

How it works:

Intercepting DHCP requests: The attacker positions themselves on the network where they can capture DHCP discover broadcasts sent by clients seeking IP addresses.
Sending fraudulent offers: The attacker crafts and sends fake DHCP offer messages to the client, claiming to be the legitimate DHCP server.
Redirecting traffic: The attacker can configure the client to use the attacker's system as the default gateway, allowing them to intercept and manipulate network traffic.

DHCP-spoofing image — DHCP Spoofing Attack Image

Consequences of DHCP Spoofing:

Man-in-the-middle attacks: The attacker can eavesdrop on network traffic, steal sensitive data, or modify it.
Denial of service (DoS): The attacker can flood the legitimate DHCP server with requests, preventing it from serving legitimate clients.
Network misconfiguration: The attacker can assign incorrect IP addresses or DNS settings to clients, causing network disruptions.

Prevention

DHCP snooping: This network security feature allows switches to verify the legitimacy of DHCP messages.
IP address management: Implementing static IP addresses or using DHCP reservations can reduce the impact of DHCP spoofing.
Network segmentation: Isolating sensitive network segments can limit the potential damage from a successful attack.
Security awareness: Educating users about the risks of accepting unsolicited DHCP offers can help prevent attacks.

Disclaimer

The content provided on this page is for educational purposes only. It is intended to demonstrate the vulnerabilities of computer systems and networks and to promote ethical hacking practices. Any unauthorized use of the information or tools presented here is strictly prohibited and may violate applicable laws.

By accessing and using this information, you agree to the following:

No Malicious Use: You will not use the information or tools to harm others, damage property, or violate any laws.
Ethical Use: You will use the information and tools responsibly and ethically, respecting the privacy and security of others.
Legal Compliance: You will comply with all applicable laws and regulations regarding hacking and cybersecurity.

It is important to note that hacking systems without proper authorization is illegal and unethical. If you have concerns about the security of your own systems, please consult with a qualified security professional.