DHCP plays a crucial role in assigning IP addresses to devices on a network, so protecting against DHCP attacks is essential for maintaining normal network behavior. If a malicious actor gains access to the DHCP server, they can potentially launch a range of attacks, such as denial-of-service attacks, man-in-the-middle attacks, and network eavesdropping.
Two common DHCP attacks are the DHCP starvation attack and the DHCP server spoofing attack.
DHCP Starvation Attack
The goal of a DHCP starvation attack is to exhaust the address space available to the DHCP server. In a typical DHCP starvation attack, the attacker floods the DHCP server by sending a large number of DHCP requests with spoofed MAC addresses. This causes the DHCP server to allocate all available IP addresses to these fake DHCP clients.
During this period, also known as "starvation," the DHCP server will not be of any service to the legitimate network users requesting IP information from the DHCP server. As a result, legitimate DHCP clients cannot obtain an IP address and connect to the network.
The image above highlights a DHCP starvation attack. The attacker starts the process of starving the DHCP server, so when the normal user tries to get IP information, the DHCP server does not have any available IP addresses to offer.
DHCP starvation attacks can be launched using specialized tools or by writing custom scripts. They allow attackers to launch denial-of-service (DoS) attacks or gain unauthorized access to the network.
Important: When the legitimate DHCP server’s resources are exhausted, a potential rogue DHCP server will not have any competition when DHCP clients start searching for a DHCP server. This can lead to a DHCP server spoofing attack.
To prevent DHCP starvation attacks, you can implement measures such as rate-limiting DHCP requests, limiting the number of DHCP leases per MAC address, or implementing the port security feature.
DHCP Server Spoofing Attack
DHCP server spoofing is a type of network attack where an attacker sets up a rogue DHCP server on a network with the intention of intercepting and manipulating network traffic. Just like the legitimate DHCP server in the network, the fake DHCP server is configured to offer IP addresses and other configuration information to network devices and endpoints.
However, the provided configuration parameters allow the attacker to control the network traffic and potentially redirect it to their system, where they can capture sensitive information, launch further attacks, or modify the network traffic.
This way, the attacker can easily perform a man-in-the-middle attack by assigning the rogue server instead of the legitimate one as the default gateway or DNS server in the DHCP offers sent to the DHCP clients. As a result, it can cause network clients to send their traffic to the attacker's system instead of the intended destination, allowing the attacker access to the original data.
The image below shows the steps involved when a rogue DHCP server is available on the network. Firstly, a user tries to reach a DHCP server to get IP information. Secondly, since this message is a broadcast frame, the switch will flood the message on all interfaces, meaning one copy is sent to the legitimate DHCP server and another to the rogue DHCP server.
Lastly, if the attacker’s device replies back first, then the whole DHCP communication will continue with the rogue server only, and the DHCP offer message from the legitimate DHCP server will be discarded.
You can implement the DHCP snooping feature to prevent these attacks. This feature can detect and block rogue DHCP servers on the network. The ip dhcp snooping command enables the feature globally, while the ip dhcp snooping vlan vlan-id command starts the feature on a specific VLAN.
DHCP snooping operates by monitoring and filtering DHCP traffic between DHCP clients and servers. It works by building a database of legitimate DHCP servers and their IP addresses and then using this information to filter out any DHCP traffic that comes from unauthorized or untrusted sources.
Once the interfaces are configured as trusted or untrusted, the switch will filter out DHCP messages and permit or deny them based on the data entries in the DHCP snooping binding table. To configure an interface as trusted, use the ip dhcp snooping trust interface configuration mode command. By default, all interfaces are considered untrusted.
When DHCP snooping is enabled, the switch inspects each DHCP message that passes through it. The switch will drop the message if a DHCP message is from an untrusted source. However, if the DHCP message is from a trusted source, the switch will add the client's MAC address, IP address, and lease time to its DHCP snooping database. The switch will then allow the DHCP message to pass through to the intended destination.
To verify DHCP snooping, use the show ip dhcp snooping command.