DHCP Starvation: How This Attack Can Disrupt Your Entire Network and What You Can Do to Prevent It

Network stability relies heavily on the efficient functioning of protocols like Dynamic Host Configuration Protocol (DHCP), which dynamically assigns IP addresses to devices. However, these essential services can be targeted by attackers, and one of the most disruptive tactics is the DHCP starvation attack.

This attack aims to deplete the DHCP server’s pool of available IP addresses, crippling network functionality. By flooding the server with fake DHCP requests, each pretending to be from a different device, the attacker forces the server to exhaust its resources. Consequently, legitimate devices are unable to obtain IP addresses, resulting in network outages and potential opportunities for unauthorised access.

The DHCP mechanism is crucial for dynamically allocating IP addresses, ensuring seamless communication within the network. It functions as an address allocator, assigning each device its appropriate address within the network’s structure. A DHCP starvation attack disrupts this vital process by bombarding the DHCP server with continuous fake requests, leading to IP address exhaustion. This overload can overwhelm the server, preventing it from responding to legitimate requests and triggering a denial-of-service (DoS) condition.

How does a DHCP starvation Attack work?

A DHCP Starvation Attack targets the DHCP service of a network, with the goal of disrupting the network’s ability to assign IP addresses to legitimate clients. The attack is executed by sending a flood of malicious DHCP DISCOVER packets to the server, each with a different, fabricated MAC address as the source. By doing so, the attacker exhausts the available pool of IP addresses on the DHCP server, preventing legitimate clients from receiving an IP address. Here is the breakdown of the process:

Flooding with Malicious DHCP DISCOVER Packets

The attacker floods the network with DHCP DISCOVER packets, each disguised as a legitimate request for an IP address. However, these packets are crafted with random, invalid MAC addresses, making them look like requests from different devices. The DHCP server, unable to detect the fraudulent nature of the requests, responds to each one as if it were genuine. As a result, the server quickly depletes its pool of available IP addresses, leaving no addresses for legitimate devices and causing network disruption.

Exhausting the IP Address Pool

The DHCP server offers IP addresses from a defined pool, allocating them to devices as they request them. When the attacker continuously sends forged DISCOVER requests, the DHCP server believes it is using all of its available addresses, even though the requests aren’t from legitimate clients. Once the server runs out of IP addresses, it can no longer respond to legitimate requests.

Rogue DHCP Server Injection

When the legitimate DHCP server runs out of IP addresses, the attacker can introduce a rogue DHCP server into the network. Consequently, this rogue server begins handing out IP addresses to devices. Furthermore, it provides malicious configuration information. For example, it could supply a malicious default gateway or DNS server, thus redirecting traffic from legitimate devices to the attacker’s system.

Man-in-the-Middle (MITM) Attack

With the rogue DHCP server providing faulty configuration details, any client device that accepts an IP address from this rogue server will now route its network traffic through the attacker’s machine. This creates the perfect conditions for a man-in-the-middle (MITM) attack, where the attacker can intercept, monitor, modify, or redirect communication between the victim and other devices on the network. As a result, sensitive information such as login credentials, personal data, or confidential communication can be captured by the attacker.

DHCP Prevention Tips

Enable DHCP Snooping

This feature allows the network switch to differentiate between trusted and untrusted DHCP messages. By configuring trusted and untrusted ports, you can prevent rogue DHCP servers from responding to requests.

MAC Address Check

Activate MAC address checks on the DHCP relay agent or server. This ensures that the source MAC address in the frame header matches the MAC address in the DHCP request. If they do not match, the server discards the request, mitigating the risk of forged requests.

Limit MAC Address Learning

Set a maximum limit on MAC addresses per switch port. When reaching the limit, the switch ignores new requests from unknown MAC addresses, preventing attacks.

Port Security

Implement port security features on switches to restrict the number of MAC addresses per port. This prevents a single device from sending multiple DHCP requests using different MAC addresses.

Rate Limiting

Configure rate limiting on DHCP snooping interfaces to limit the number of DHCP packets processed within a specific time frame. This helps reduce the impact of a flood of DHCP requests from an attacker.

Conclusion

DHCP starvation attacks can cause significant damage by disrupting network connectivity and opening the door for additional security threats. To mitigate these risks, organisations should implement security measures like traffic filtering, access control, and regular monitoring. These proactive steps help safeguard network resources and maintain operational stability. Furthermore, regularly reviewing network security logs is crucial for detecting and responding to suspicious activities promptly.

Stay ahead of the curve! Follow Cyber News Live for real-time updates on the latest cybersecurity threats, trends, and insights.