Skip to main content

DHCP Security: Shrinking the Attack Surface

A reservation means nothing if you get the wrong size for your guests, or a party crasher, intended or not, is there first. Similarly, if DHCP is not secure, your device runs the risk of not getting the right network configuration—or any at all. What threats does DHCP face, and how can we protect both devices and the server from such attacks? Let's secure those answers.

For a refresher on DHCP, check out this post.

DHCP Attacks

Rogue DHCP Server

On picnic day, you go to the park office to claim your pavilion, but another staff member—different from the one you arranged the event with—has no note of your reservation and gives you another pavilion. What does that mean for your guests? They already have the original location. Things just got complicated.

Similarly, a rogue DHCP server is an unauthorized or misconfigured device that disrupts the operations of an authorized server within a network. This can result from manually assigning conflicting IP address ranges or someone plugging in a personal router with DHCP enabled.

Why it Matters
  • Rogue servers can cause IP address conflicts, leading to limited or no access to the Internet or local network.
  • They can act as an "evil twin"(looks like your network, feels like your network) but tracks, reroutes, and intercepts your data or block access.

DHCP Starvation Attack

Back to the picnic. Imagine you are at your local park office and talk to the staff, but there are no available pavilions. How so? The whole park is booked by a large company hosting a retreat for several other companies for the entire week. As a result, you cannot book a pavilion there and decide to look at another park. That is similar to a DHCP starvation attack.

In this attack, an attacker floods the server with requests, consuming all available IP addresses and leaving legitimate users without one.

Why it Matters
  • Once the IP address pool is exhausted,  the attacker provides a "glimmering light" - a false promise to access your network.
  • The attacker implants their own DHCP server - a rogue one - to provide what you "need" to get access to the network: an IP address.
  • This trap network allows the attacker to monitor, misdirect, or manipulate your traffic.

DHCP Spoofing

Picnic planning is hard. Once you finally book a pavilion at another park, you get a confirmation slip—only to notice the logo is off and your reserved pavilion is now the smallest one. You’ve just been scammed!

That’s DHCP spoofing: the attacker's server gives devices incorrect network configuration, disrupting connectivity or redirecting traffic to malicious sites.

Why it Matters
  • Traffic can be redirected to the attacker, enabling man-in-the-middle attacks.
  • Devices may receive "fake invitations" : false configurations, losing access to the local network or Internet.
  • Spoofed traffic may reroute to phishing or malware sites.

How to Protect Against DHCP Attacks

  • Activate DHCP Snooping

Allows only trusted sources to handle DHCP messages. Anything untrusted gets blocked. Designated servers are the only ones allowed to issue IP addresses.

  • Configure DHCP Relay Agents

Acts as a proxy between clients and the DHCP infrastructure. It inspects traffic and drops packets from unauthorized sources (rogue servers).

  • Implement Port Security

Limits the number of MAC addresses per port. You can also whitelist approved MAC addresses to block others from connecting.

  • Limit DHCP Requests

Restrict how many DHCP requests can be made by a device within a time window, helping prevent starvation attacks.

  • Use VLAN Segmentation

Divide your physical network into logical ones by department, floor, or device type. This contains attacks within a segment and simplifies troubleshooting.

Avoid putting all devices in the native VLAN, which creates a large broadcast domain vulnerable to rogue DHCP attacks.

Secure inter-VLAN routing to prevent unauthorized access between network segments.

  • MAC Filtering

Restrict network access to a list of approved MAC addresses—like a guest list. However, attackers can spoof MAC addresses, so this should not be the only layer of defense.

What’s Next?

DHCP does not get much hype. It may not be glamorous, but that does not make it any less worthy of protection. There are many moving parts to DHCP: IP addresses, DNS servers, and security. Every component in IT carries an attack surface - that is no different from a seemingly overlooked protocol that can make or break our connections to the Internet. 

Security implementations like DHCP snooping and port security can reduce the risks posed from such DHCP attacks. Above all, it begins with monitoring to identify vulnerabilities. Want to see this in action? Check the links below for a hands-on look against DHCP attacks. 

DHCP security may not be a picnic, but securing it means fewer party crashers and more time to enjoy the sun (perhaps with a cold glass of lemonade in hand).

 

Helpful Links 

DHCP Attacks and Defense Strategies - Kevin Wallace

Hack DHCP with Python and Kali Linux! - David Bombal 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

IP in Practice: Special IPv4 Addresses

We have already discussed three private ranges used in classful and classless subnetting. The list does not stop there. This post identifies six types of special IP addresses that you will encounter. By the end of this post, you should have a clearer understanding of how these addresses are used in troubleshooting, how they appear on certification exams, and how they shape the way traffic moves across the Internet. 1. Loopback Address (127.0.0.1) Every networked device has a loopback address. Most commonly, it is 127.0.0.1 . The loopback address is typically used to test internal connections. You may wonder, “Why do I need to know if my device can connect to itself? Shouldn’t it connect to other resources and the Internet?” Think about it this way. Before you walk out the door, you make sure you look presentable by taking a shower, brushing your teeth, ironing your clothes, and checking yourself in the mirror. Once everything looks good, you are ready to go. Similarly, your compute...
Post a Comment
Read more

How to Set Up a Cisco Router as a DHCP Server (Step-by-Step Guide)

Lab time! Want to build a DHCP server?  In this lab, I will show you how to build your own DHCP server on a router using Cisco Packet Tracer, as shown above. By the end of this post, you will be able to create your own DHCP server with a Cisco 2911 router, perhaps in a home lab setting, and prepare you to build your own on other hardware.  Why a Router?  A DHCP server is a centralized, automated service that assigns important network configuration details to devices on a network, such as IP addresses. Without it, we would have to create manual entries for our entire network, which can be time-consuming and lead to errors. Traditionally, there are dedicated servers to handle these functions. There are many ways to implement a DHCP server in your topology, including a dedicated physical server, a virtual machine, cloud-based gateways, and firewalls. However, there are specific benefits to using a router as your DHCP server: Reduced infrastructur...
Post a Comment
Read more

New Series: IP in Practice

I have done a few posts on subnetting and the inner workings of DHCP. I wanted to do a post on IPv6 and a hands-on demo on implementing DHCP on actual networking equipment. However, I missed a few parts that I would like to cover that would particularly help in understanding how IP works and why it is needed. Unlike the previous series, this will be a direct approach to a certain protocol: Internet Protocol (IP). I recently started my first series, covering important ports, protocols, and acronyms used in the networking field. However, I realized not only is it difficult to address the ones to mention, but for some letters it's hard to find. The intended structure was to have several per letter not just one. The idea seemed fun and engaging, however, doing over 20 posts alphabetically on acronyms, ports, and protocols lacks order and deviates from the direct approach I want this blog to have. For that reason, I am putting it on hold indefinitely. It was fun at first, but it was not...
Post a Comment
Read more