Skip to main content

DHCP Security: Shrinking the Attack Surface

A reservation means nothing if you get the wrong size for your guests, or a party crasher, intended or not, is there first. Similarly, if DHCP is not secure, your device runs the risk of not getting the right network configuration—or any at all. What threats does DHCP face, and how can we protect both devices and the server from such attacks? Let's secure those answers.

For a refresher on DHCP, check out this post.

DHCP Attacks

Rogue DHCP Server

On picnic day, you go to the park office to claim your pavilion, but another staff member—different from the one you arranged the event with—has no note of your reservation and gives you another pavilion. What does that mean for your guests? They already have the original location. Things just got complicated.

Similarly, a rogue DHCP server is an unauthorized or misconfigured device that disrupts the operations of an authorized server within a network. This can result from manually assigning conflicting IP address ranges or someone plugging in a personal router with DHCP enabled.

Why it Matters
  • Rogue servers can cause IP address conflicts, leading to limited or no access to the Internet or local network.
  • They can act as an "evil twin"(looks like your network, feels like your network) but tracks, reroutes, and intercepts your data or block access.

DHCP Starvation Attack

Back to the picnic. Imagine you are at your local park office and talk to the staff, but there are no available pavilions. How so? The whole park is booked by a large company hosting a retreat for several other companies for the entire week. As a result, you cannot book a pavilion there and decide to look at another park. That is similar to a DHCP starvation attack.

In this attack, an attacker floods the server with requests, consuming all available IP addresses and leaving legitimate users without one.

Why it Matters
  • Once the IP address pool is exhausted,  the attacker provides a "glimmering light" - a false promise to access your network.
  • The attacker implants their own DHCP server - a rogue one - to provide what you "need" to get access to the network: an IP address.
  • This trap network allows the attacker to monitor, misdirect, or manipulate your traffic.

DHCP Spoofing

Picnic planning is hard. Once you finally book a pavilion at another park, you get a confirmation slip—only to notice the logo is off and your reserved pavilion is now the smallest one. You’ve just been scammed!

That’s DHCP spoofing: the attacker's server gives devices incorrect network configuration, disrupting connectivity or redirecting traffic to malicious sites.

Why it Matters
  • Traffic can be redirected to the attacker, enabling man-in-the-middle attacks.
  • Devices may receive "fake invitations" : false configurations, losing access to the local network or Internet.
  • Spoofed traffic may reroute to phishing or malware sites.

How to Protect Against DHCP Attacks

  • Activate DHCP Snooping

Allows only trusted sources to handle DHCP messages. Anything untrusted gets blocked. Designated servers are the only ones allowed to issue IP addresses.

  • Configure DHCP Relay Agents

Acts as a proxy between clients and the DHCP infrastructure. It inspects traffic and drops packets from unauthorized sources (rogue servers).

  • Implement Port Security

Limits the number of MAC addresses per port. You can also whitelist approved MAC addresses to block others from connecting.

  • Limit DHCP Requests

Restrict how many DHCP requests can be made by a device within a time window, helping prevent starvation attacks.

  • Use VLAN Segmentation

Divide your physical network into logical ones by department, floor, or device type. This contains attacks within a segment and simplifies troubleshooting.

Avoid putting all devices in the native VLAN, which creates a large broadcast domain vulnerable to rogue DHCP attacks.

Secure inter-VLAN routing to prevent unauthorized access between network segments.

  • MAC Filtering

Restrict network access to a list of approved MAC addresses—like a guest list. However, attackers can spoof MAC addresses, so this should not be the only layer of defense.

What’s Next?

DHCP does not get much hype. It may not be glamorous, but that does not make it any less worthy of protection. There are many moving parts to DHCP: IP addresses, DNS servers, and security. Every component in IT carries an attack surface - that is no different from a seemingly overlooked protocol that can make or break our connections to the Internet. 

Security implementations like DHCP snooping and port security can reduce the risks posed from such DHCP attacks. Above all, it begins with monitoring to identify vulnerabilities. Want to see this in action? Check the links below for a hands-on look against DHCP attacks. 

DHCP security may not be a picnic, but securing it means fewer party crashers and more time to enjoy the sun (perhaps with a cold glass of lemonade in hand).

 

Helpful Links 

DHCP Attacks and Defense Strategies - Kevin Wallace

Hack DHCP with Python and Kali Linux! - David Bombal 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

IP in Practice: IP Addressing Basics

Whenever you order at a fast-food restaurant, the cashier may give you a number or ask for the name on your order. When your order is ready, they will call your number or name so the correct person receives it. Similarly, devices on a network are assigned a unique number so information reaches its intended destination. This number is called an IP address. . . . Check Full IP IP Addresses are Unique Identifiers Every device on a network has an IP address that allows it to communicate with other devices. These addresses are unique within a network to ensure data reaches its intended destination. Imagine if two people had the same order number—there would be confusion about who ordered what. Similarly, without these identifiers, devices would not know where to send or receive data. Purposes of IP Addresses IP addresses serve several purposes, including: Routing: IP addresses operate at layer 3 of the TCP/IP or OSI model, also kno...
Post a Comment
Read more

IP in Practice: Public and Private IP Addresses

Do you speak another language? Personally, I love learning new languages, but one of the hardest parts is translation. When it comes to networking, it is something similar. Devices within our home and office networks do not directly go to the internet. There needs to be a "translator". What does this have to do with public and private IPv4 addresses? In this post, we will explore: IPv4 Addresses Private Ranges  The difference and teamwork between NAT and PAT Helpful troubleshooting commands such as ipconfig or ping A demo that puts it altogether.  (Link to topology here .) By the end of this post, you will see how public and private IP addresses work together in action.  IPv4 Address Private Ranges RFC1918 Private IP Address Ranges Class IANA Blocks Range Total Addresses A 10.0.0.0/8 10.0.0.0 - 10.255.255.255 16.7 million (16,777,216) ...
Post a Comment
Read more

Is MCP the TCP/IP for AI?

  The Internet runs on TCP/IP. We might as well include AI in the mix, but how about AI? TCP/IP allows devices, services, applications, and data to communicate with other devices, services, applications, and data. How does AI talk? This is why I love networking, and the thought of how AI communicates makes me hopeful that the field will survive extensive job replacements. Unless self-healing networks actually come.  I have been reading more into MCP. What exactly is it? Is it necessary for AI models and agents to communicate? Did you know AI agents have their own social media?? Biggest of all, is there any correlation between MCP and TCP/IP for model communication? Can MCP take notes from TCP/IP, or will it rewrite networking? This post explores Model Context Protocol through parallels with TCP/IP to understand how AI communication can become more structured, standardized, and consistent. What is MCP? To understand MCP, a good place to start is APIs. To understand APIs,...
Post a Comment
Read more