10.2.2.1.7. DHCP Starvation Attack / Starvation Attack

Another type of network attack targeting DHCP servers is known as a DHCP Starvation Attack. In a DHCP starvation attack, an attacker broadcasts a large number of DHCP REQUEST messages with forged source MAC addresses. If the legitimate DHCP Server in the network starts responding to all these fake DHCP REQUEST messages, the available IP Addresses within the DHCP server scope will be exhausted in a very short time. This attack is a Service attack to take the DHCP server out of service.

 After a DHCP starvation attack and setting up a fake DHCP server, the attacker can start distributing IP addresses and other TCP/IP configuration settings to network DHCP clients. TCP/IP configuration settings include Default Gateway and DNS Server IP 47 addresses. Network attackers can now replace the original legitimate Default Gateway IP Address and DNS Server IP Address with their own IP Addresses.

The DHCP server dynamically assigns IP addresses to hosts on a network. It creates a pool of addresses available for assignment to the administrator, associating the lease term with the addresses. A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. In this scenario, the attack takes place with certain tools that look at the entire DHCP scope and try to lease the DHCP addresses it contains. The attacker can then set up a fake DHCP server and respond to new DHCP requests from clients on the network. This can cause a man-in-the-middle attack.

This type of attack can also cause DoS situations where duplicate addressing occurs in the network, making resources bound to those addresses inaccessible, or it can allow the execution of man-in-the-middle attacks where traffic is first sent to an attacker and then to the original destination. These attacks can be mitigated by enforcing static addressing or using DHCP snooping on physical switches as well as DHCP server authorization in Active Directory environments.

DHCP snooping is used to mitigate these attacks. In DHCP snooping, trusted ports are allowed to send DHCP offers and DHCP ACK messages. For the untrusted port, the DHCP message request must be verified. Untrusted ports are not allowed to send messages such as DHCP offers. The DHCP snooping table is used to identify untrusted or filtered port messages. All requests from an untrusted port are blocked by the switch and all responses from untrusted ports are discarded.

The command "ip dhcp snooping vlan" is used to activate DHCP interception on a VLAN. To disable it, the "no ip dhcp snooping" command can be used. The "ip dhcp snooping trust" command is used to activate DHCP interception on the port on the interface entered.

ip dhcp snooping vlan 444

ip dhcp snooping trust / ip dhcp snooping limit rate 2