Common attacks that exploit vulnerabilities in Dynamic Host Configuration Protocol (DHCP).

DHCP Starvation

An attacker uses spoofed MAC addresses to flood DHCP discover messages. The target server’s DHCP pool becomes full resulting in a Denial-of-Service (DoS) to legitimate network devices.

DHCP Poisoning

Similar to ARP Poisoning, this is a man-in-the-middle attack. A spurious (i.e. fake) DHCP server replies to clients’ DHCP discover messages and assigns them IP addresses, but makes the clients use the spurious server’s IP as their default gateway. The client(s) will then send traffic to the attacker rather than the legitimate default gateway, allowing the attacker to examine and modify the traffic before forwarding it to the legitimate default gateway.

Note

In DHCP poisoning clients will receive offers from both the spurious and the legitimate DHCP servers. DHCP clients usually accept the first DHCP offer they receive. If the spurious server and legitimate server are both in the local network, it may not be clear which one’s offer a client will receive first, but if the spurious server is local and the legitimate server is remote (communicating through a DHCP Relay Agent) then it’s almost certain that the spurious server’s messages will arrive first.