Skip to main content

DHCP Security: Shrinking the Attack Surface

A reservation means nothing if you get the wrong size for your guests, or a party crasher, intended or not, is there first. Similarly, if DHCP is not secure, your device runs the risk of not getting the right network configuration—or any at all. What threats does DHCP face, and how can we protect both devices and the server from such attacks? Let's secure those answers.

For a refresher on DHCP, check out this post.

DHCP Attacks

Rogue DHCP Server

On picnic day, you go to the park office to claim your pavilion, but another staff member—different from the one you arranged the event with—has no note of your reservation and gives you another pavilion. What does that mean for your guests? They already have the original location. Things just got complicated.

Similarly, a rogue DHCP server is an unauthorized or misconfigured device that disrupts the operations of an authorized server within a network. This can result from manually assigning conflicting IP address ranges or someone plugging in a personal router with DHCP enabled.

Why it Matters
  • Rogue servers can cause IP address conflicts, leading to limited or no access to the Internet or local network.
  • They can act as an "evil twin"(looks like your network, feels like your network) but tracks, reroutes, and intercepts your data or block access.

DHCP Starvation Attack

Back to the picnic. Imagine you are at your local park office and talk to the staff, but there are no available pavilions. How so? The whole park is booked by a large company hosting a retreat for several other companies for the entire week. As a result, you cannot book a pavilion there and decide to look at another park. That is similar to a DHCP starvation attack.

In this attack, an attacker floods the server with requests, consuming all available IP addresses and leaving legitimate users without one.

Why it Matters
  • Once the IP address pool is exhausted,  the attacker provides a "glimmering light" - a false promise to access your network.
  • The attacker implants their own DHCP server - a rogue one - to provide what you "need" to get access to the network: an IP address.
  • This trap network allows the attacker to monitor, misdirect, or manipulate your traffic.

DHCP Spoofing

Picnic planning is hard. Once you finally book a pavilion at another park, you get a confirmation slip—only to notice the logo is off and your reserved pavilion is now the smallest one. You’ve just been scammed!

That’s DHCP spoofing: the attacker's server gives devices incorrect network configuration, disrupting connectivity or redirecting traffic to malicious sites.

Why it Matters
  • Traffic can be redirected to the attacker, enabling man-in-the-middle attacks.
  • Devices may receive "fake invitations" : false configurations, losing access to the local network or Internet.
  • Spoofed traffic may reroute to phishing or malware sites.

How to Protect Against DHCP Attacks

  • Activate DHCP Snooping

Allows only trusted sources to handle DHCP messages. Anything untrusted gets blocked. Designated servers are the only ones allowed to issue IP addresses.

  • Configure DHCP Relay Agents

Acts as a proxy between clients and the DHCP infrastructure. It inspects traffic and drops packets from unauthorized sources (rogue servers).

  • Implement Port Security

Limits the number of MAC addresses per port. You can also whitelist approved MAC addresses to block others from connecting.

  • Limit DHCP Requests

Restrict how many DHCP requests can be made by a device within a time window, helping prevent starvation attacks.

  • Use VLAN Segmentation

Divide your physical network into logical ones by department, floor, or device type. This contains attacks within a segment and simplifies troubleshooting.

Avoid putting all devices in the native VLAN, which creates a large broadcast domain vulnerable to rogue DHCP attacks.

Secure inter-VLAN routing to prevent unauthorized access between network segments.

  • MAC Filtering

Restrict network access to a list of approved MAC addresses—like a guest list. However, attackers can spoof MAC addresses, so this should not be the only layer of defense.

What’s Next?

DHCP does not get much hype. It may not be glamorous, but that does not make it any less worthy of protection. There are many moving parts to DHCP: IP addresses, DNS servers, and security. Every component in IT carries an attack surface - that is no different from a seemingly overlooked protocol that can make or break our connections to the Internet. 

Security implementations like DHCP snooping and port security can reduce the risks posed from such DHCP attacks. Above all, it begins with monitoring to identify vulnerabilities. Want to see this in action? Check the links below for a hands-on look against DHCP attacks. 

DHCP security may not be a picnic, but securing it means fewer party crashers and more time to enjoy the sun (perhaps with a cold glass of lemonade in hand).

 

Helpful Links 

DHCP Attacks and Defense Strategies - Kevin Wallace

Hack DHCP with Python and Kali Linux! - David Bombal 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Subnets: Key to Network Organization

Whether it is a to-do list or a big project, organization is key. We have busy lives. The task in itself can have several parts or may require some sort of collaboration with a partner or a team. A project may call to meet deadlines, which means keeping up with those crucial dates and having a system of order. Similarly, our networks are busy, transferring a great deal of data across links and nodes. The amount of traffic generated can lead to bottlenecks, packet loss, and delays. A network’s design can vary in complexity, depending on the environment or needs of a customer. Just as we find a manageable way to handle heavy workloads, our networks have a way of efficiently handling network traffic by creating "mini-networks" within our network. This process is called subnetting.   Why We Subnet To reduce congestion. Just as traffic in cities cause slowdowns and delays, too much traffic can lead to bottlenecks, packet loss, and delays. Subnetting breaks the netwo...
Post a Comment
Read more

How to Set Up a Cisco Router as a DHCP Server (Step-by-Step Guide)

Lab time! Want to build a DHCP server?  In this lab, I will show you how to build your own DHCP server on a router using Cisco Packet Tracer, as shown above. By the end of this post, you will be able to create your own DHCP server with a Cisco 2911 router, perhaps in a home lab setting, and prepare you to build your own on other hardware.  Why a Router?  A DHCP server is a centralized, automated service that assigns important network configuration details to devices on a network, such as IP addresses. Without it, we would have to create manual entries for our entire network, which can be time-consuming and lead to errors. Traditionally, there are dedicated servers to handle these functions. There are many ways to implement a DHCP server in your topology, including a dedicated physical server, a virtual machine, cloud-based gateways, and firewalls. However, there are specific benefits to using a router as your DHCP server: Reduced infrastructur...
Post a Comment
Read more

My Trek up Mount Net

   Networking is ...          Let me hold off on that. Expect a definition later. First, let's set the scene.         This is a new platform, new field, new everything for me. You might or might not ask yourself - how?   If you are part of the "might not", I get it. I am currently a college student just trying to make sense at staring at the daunting Mount Net - one of many peaks among the IT Mountain Range that grows not centimeters every year, but centimeters every second it seems like. Yet this is a trek I know I want to take step by step.         Let me just say, my journey to networking started a few years ago. When I graduated high school, I had different interests - psychology, math, animal science, just to name a few. I had a brief stint of interest in electrical engineering that sparked from a fascination with electricity. My mother also told me that my grandfather used to be in ...
Post a Comment
Read more