In this article we will talk about DHCP Attacks, and in previous article we already discussed about Enable Port Security.
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping.
DHCP Starvation Attack
The goal of the DHCP Starvation attack is to create a DoS for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. It has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
DHCP Spoofing Attack
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:
- Wrong default gateway – The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
- Wrong DNS server – The rogue server provides an incorrect DNS server address pointing the user to a nefarious website.
- Wrong IP address – The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
Threat Actor Connects Rogue DHCP Server
A threat actor successfully connects a rogue DHCP server to a switch port on the same subnet and VLANs as the target clients. The goal of the rogue server is to provide clients with false IP configuration information.
Client Broadcasts DHCP Discovery Messages
A legitimate client connects to the network and requires IP configuration parameters. Therefore, the client broadcasts a DHCP Discovery request looking for a response from a DHCP server. Both servers will receive the message and respond.
Legitimate and Rogue DHCP Reply
The legitimate DHCP server responds with valid IP configuration parameters. However, the rogue server also responds with a DHCP offer containing IP configuration parameters defined by the threat actor. The client will reply to the first offer received.
Client Accepts Rogue DHCP Offer
The rogue offer was received first, and therefore, the client broadcasts a DHCP request accepting the IP parameters defined by the threat actor. The legitimate and rogue server will receive the request.
Rogue Server Acknowledges
The rogue server unicasts a reply to the client to acknowledge its request. The legitimate server will cease communicating with the client.