Skip to main content

DHCP Security: Shrinking the Attack Surface

A reservation means nothing if you get the wrong size for your guests, or a party crasher, intended or not, is there first. Similarly, if DHCP is not secure, your device runs the risk of not getting the right network configuration—or any at all. What threats does DHCP face, and how can we protect both devices and the server from such attacks? Let's secure those answers.

For a refresher on DHCP, check out this post.

DHCP Attacks

Rogue DHCP Server

On picnic day, you go to the park office to claim your pavilion, but another staff member—different from the one you arranged the event with—has no note of your reservation and gives you another pavilion. What does that mean for your guests? They already have the original location. Things just got complicated.

Similarly, a rogue DHCP server is an unauthorized or misconfigured device that disrupts the operations of an authorized server within a network. This can result from manually assigning conflicting IP address ranges or someone plugging in a personal router with DHCP enabled.

Why it Matters
  • Rogue servers can cause IP address conflicts, leading to limited or no access to the Internet or local network.
  • They can act as an "evil twin"(looks like your network, feels like your network) but tracks, reroutes, and intercepts your data or block access.

DHCP Starvation Attack

Back to the picnic. Imagine you are at your local park office and talk to the staff, but there are no available pavilions. How so? The whole park is booked by a large company hosting a retreat for several other companies for the entire week. As a result, you cannot book a pavilion there and decide to look at another park. That is similar to a DHCP starvation attack.

In this attack, an attacker floods the server with requests, consuming all available IP addresses and leaving legitimate users without one.

Why it Matters
  • Once the IP address pool is exhausted,  the attacker provides a "glimmering light" - a false promise to access your network.
  • The attacker implants their own DHCP server - a rogue one - to provide what you "need" to get access to the network: an IP address.
  • This trap network allows the attacker to monitor, misdirect, or manipulate your traffic.

DHCP Spoofing

Picnic planning is hard. Once you finally book a pavilion at another park, you get a confirmation slip—only to notice the logo is off and your reserved pavilion is now the smallest one. You’ve just been scammed!

That’s DHCP spoofing: the attacker's server gives devices incorrect network configuration, disrupting connectivity or redirecting traffic to malicious sites.

Why it Matters
  • Traffic can be redirected to the attacker, enabling man-in-the-middle attacks.
  • Devices may receive "fake invitations" : false configurations, losing access to the local network or Internet.
  • Spoofed traffic may reroute to phishing or malware sites.

How to Protect Against DHCP Attacks

  • Activate DHCP Snooping

Allows only trusted sources to handle DHCP messages. Anything untrusted gets blocked. Designated servers are the only ones allowed to issue IP addresses.

  • Configure DHCP Relay Agents

Acts as a proxy between clients and the DHCP infrastructure. It inspects traffic and drops packets from unauthorized sources (rogue servers).

  • Implement Port Security

Limits the number of MAC addresses per port. You can also whitelist approved MAC addresses to block others from connecting.

  • Limit DHCP Requests

Restrict how many DHCP requests can be made by a device within a time window, helping prevent starvation attacks.

  • Use VLAN Segmentation

Divide your physical network into logical ones by department, floor, or device type. This contains attacks within a segment and simplifies troubleshooting.

Avoid putting all devices in the native VLAN, which creates a large broadcast domain vulnerable to rogue DHCP attacks.

Secure inter-VLAN routing to prevent unauthorized access between network segments.

  • MAC Filtering

Restrict network access to a list of approved MAC addresses—like a guest list. However, attackers can spoof MAC addresses, so this should not be the only layer of defense.

What’s Next?

DHCP does not get much hype. It may not be glamorous, but that does not make it any less worthy of protection. There are many moving parts to DHCP: IP addresses, DNS servers, and security. Every component in IT carries an attack surface - that is no different from a seemingly overlooked protocol that can make or break our connections to the Internet. 

Security implementations like DHCP snooping and port security can reduce the risks posed from such DHCP attacks. Above all, it begins with monitoring to identify vulnerabilities. Want to see this in action? Check the links below for a hands-on look against DHCP attacks. 

DHCP security may not be a picnic, but securing it means fewer party crashers and more time to enjoy the sun (perhaps with a cold glass of lemonade in hand).

 

Helpful Links 

DHCP Attacks and Defense Strategies - Kevin Wallace

Hack DHCP with Python and Kali Linux! - David Bombal 

 

 

Labels:

Comments

Post a Comment

Popular posts from this blog

IP in Practice: The Need for IPv6

 It is time for IPv6. Not just for our network infrastructure, but for this series. The IPv4 section has come to an end, and now it is time for a deep dive into IPv6. More than ever, it is time to consider systems that can handle heavier workloads, more devices, and fewer address limitations - AI agents, IoT devices, edge computing. This post will examine why we need IPv6 and why it is an important network solution.   Why do we need IPv6? We need more space. IPv6 literally increases the address space exponentially. The IPv6 address space is 2 128 total addresses, 3.4 followed by 38 zeroes. Technology is no longer limited to servers, office computers, and mobile devices. Today's systems integrate AI infrastructure, edge computing, IoT devices, cloud networking, virtual machines, and more. Simply, more devices mean more space.  We need more scalability. As more devices connect to systems, administrators need to consider not only the number but the distribution. System...
Post a Comment
Read more

IP in Practice: IPv4 Workarounds

IPv4 has been dealing with burnout since 2011. Yet we work it to the ground by finding workarounds. Why? The Internet as we know it still runs on it. IPv6 is not as pervasive or widely accepted as IPv4 and often requires adding new infrastructure or reworking what is already in place. So far, the alternatives have extended the use of IPv4 beyond its intended design.  How have we continued to stretch IPv4? If you are studying networking, building a home lab, or managing large-scale networks, these techniques should ring a bell. This post will revisit four current IPv4 workarounds.  Workaround #1 - Private IP Addresses Instead of every server, device, and client getting their own public IP address and taking up space, private IP addresses provide reusable address spaces for local networks. These addresses are not directly accessible via the Internet. Routers will drop external traffic trying to directly access them.  To the outside world, only public IP addresses are...
Post a Comment
Read more

Subnets: Key to Network Organization

Whether it is a to-do list or a big project, organization is key. We have busy lives. The task in itself can have several parts or may require some sort of collaboration with a partner or a team. A project may call to meet deadlines, which means keeping up with those crucial dates and having a system of order. Similarly, our networks are busy, transferring a great deal of data across links and nodes. The amount of traffic generated can lead to bottlenecks, packet loss, and delays. A network’s design can vary in complexity, depending on the environment or needs of a customer. Just as we find a manageable way to handle heavy workloads, our networks have a way of efficiently handling network traffic by creating "mini-networks" within our network. This process is called subnetting.   Why We Subnet To reduce congestion. Just as traffic in cities cause slowdowns and delays, too much traffic can lead to bottlenecks, packet loss, and delays. Subnetting breaks the netwo...
Post a Comment
Read more