The Ultimate Guide to DHCP Spoofing and Starvation Attacks

A Dynamic Host Configuration Protocol (DHCP) in a network is a common approach to allocating IP information dynamically to clients as they shift from one network to another within an enterprise.

It simplifies the overall assignment of IP addresses and other additional parameters such as the subnet mask, Domain Name System (DNS) server, and default gateway among many other parameters.

Without this service, all essential information for normal operation in a network would have to be configured manually on the endpoints. Although the manual approach is not a problem for small networks, it is more challenging in medium to large networks.

Download the guide and refer back to it at any time!

In this article, we will discuss DHCP spoofing and starvation attacks, the negative impact these attacks can have on your network, and how to protect against them.

Looking for other DHCP content? View our popular DHCP configuration guide. 

Understanding DHCP Operations

Before we dive into the DHCP attacks, let’s first look at the operations of the DHCP process to gain a better understanding of the steps being performed in the background. That way, we can easily follow the attacks discussed later in this article and get a better idea of how they function.

When using the DHCP service, there are two roles: a DHCP client which is just a computer requesting an IP address and complimentary parameters, and a DHCP server responsible for providing that IP information to the clients.

The whole communication between the client and the server is performed in four steps. This process is known as DORA, which is an acronym representing the first letters of each step during which the packets are exchanged:

1. DHCP Discover: The DHCP client sends a broadcast message to reach the DHCP server and start the negotiation process.
2. DHCP Offer: The DHCP server responds back to the DHCP client with IP information that can be used once it has been acknowledged.
3. DHCP Request: The DHCP client responds back to the DHCP server with a formal request to start using the IP information previously reserved.
4. DHCP ACK: The DHCP server acknowledges the DHCP Request message and the DHCP client starts using the assigned IP information.

Based on the DHCP server configuration, the assigned IP information will be valid for a limited time before it expires and is potentially renewed. For more details about configuring a DHCP server on a Cisco router, visit our Cisco IOS DHCP Server Configuration article.

____________

Are you looking to fill an open spot on your rack?

Get a quote today!

____________

DHCP Starvation Attacks

The goal of a DHCP starvation attack is to exhaust the address space available to the DHCP server. An attacker can initiate this attack by sending a flood of fake DHCP Discover messages with spoofed MAC addresses. As a result, the DHCP server will respond back with a DHCP Offer message to each of the DHCP Discover messages previously received.

As a result, all available IP addresses will very quickly become reserved for the “potential” DHCP clients, and this will last for a period. Since no such clients really exist, the DHCP server will never get back any reply containing a DHCP Request message from the DHCP “clients”.

During this period, known as “starvation”, the DHCP server will not be of any service to the legitimate network user requesting IP information from the DHCP server.

The image below highlights a DHCP starvation attack. The attacker starts the process of starving the DHCP server, so when the normal user tries to get IP information, the DHCP server does not have any available IP addresses to offer.

Additionally, when the legitimate DHCP server’s resources are exhausted, a rogue DHCP server, potentially started on the attacker’s device, will not have any competition when normal users will start searching for a DHCP server. This can lead to a DHCP server spoofing attack, which we will cover shortly.

A DHCP starvation attack can be performed by using various attacking tools, Yersinia being one of the most popular. Protection against this attack can easily be achieved by implementing the port security feature on the switch. It allows a limited number of MAC addresses to be defined per port and applies an action (shut down the interface by default) when a violation occurs.  

DHCP Server Spoofing Attack

Much like IP spoofing, MAC spoofing, or ARP spoofing, there is also DHCP server spoofing. Compared to the DHCP starvation attack, a spoofing attack can easily be disastrous for a network. Since authentication is not possible with DHCP, it is very vulnerable to spoofing attacks.

When an attacker operates a rogue DHCP server, a user can blindly start a DHCP communication with the attacker instead of the legitimate DHCP server on the network. This could easily happen when the rogue DHCP server is closer to the DHCP client and replies before the legitimate DHCP server does.

As a result, the attacker can perform a man-in-the-middle attack by assigning itself as a default gateway or DNS server in the DHCP replies sent back to the DHCP clients. This allows the attacker to intercept IP communication between the configured clients and the rest of the network.

The image below shows the steps involved when a rogue DHCP server is available in the network. Firstly, a user tries to reach a DHCP server to get IP information. Secondly, since this message is a broadcast frame, the switch will flood the message on all interfaces, meaning one copy is sent to the legitimate DHCP server and another to the rogue DHCP server.

Lastly, if the attacker’s device replies back first, then the whole DHCP communication will continue with this server only, and the DHCP Offer message from the legitimate DHCP server will be discarded.

There are two solutions to protect against a DHCP spoofing attack. The first solution is to configure IP information manually on all endpoints in the network, which will be almost impossible in large environments. The second solution is to implement the DHCP snooping feature on the switches.

DHCP snooping is a Layer 2 security feature that can be implemented on a switch to prevent a DHCP spoofing and DHCP starvation attack to a certain degree. The main idea behind this feature is for the switch to build and maintain a DHCP snooping binding table.

Each entry in this database will contain information about all interfaces on the switch and the client’s MAC and IP addresses reachable on them, as well as additional information such as VLAN association, port ID, and so on.

Once interfaces are configured as trusted or untrusted, the switch will filter out DHCP messages and permit or deny them based on the data entries in the DHCP snooping binding table. For more information about the DHCP snooping feature, visit our article entitled A Guide to Configuring and Troubleshooting DHCP Snooping.

PivIT’s EXTEND SmartHands Offering

DHCP spoofing and DHCP starvation attacks are not that common in networks today. However, you can never know when such attacks can happen, intentionally or unintentionally. Therefore, just to be on the safe side, you should always try to mitigate these potential attacks by using the supported features on switches, such as port security and DHCP snooping.

A proper configuration will provide sufficient protection against these simple, yet tricky and potentially disastrous DHCP attacks.

Are you short on engineering staff or need an expert to configure your network to handle these attacks? PivIT’s EXTEND offering allows you to extend your IT team without the added overhead of hiring a full-time engineer, whether on-demand or on a per-project basis.

SmartHands is your physical solution that can be on-site, on the phone, or on-call to provide the expert-level knowledge you need. View our SmartHands page to see the three levels of engineering support we offer or speak to one of our engineers right now to help protect your network.