DHCP or dynamic host configuration protocol is responsible for IP assignment in the network. DHCP spoofing is a type of attack in which hacker places a rogue DHCP server in the network. This results into a man in the middle attack. Usually its a very small device having network interface or have a Wi-Fi to connect it with the network. With the help of this planted DHCP server hacker responses to the IP assignment requests. As a result, original DHCP server offer is not availed by the client and hacker has full control over the IP scheme of network devices.

Attacker has multiple choices to perform different malicious activates after successful IP assignment. He can redirect all the workstation traffic towards a completely dummy infrastructure instead of legit one. One example is with a invalid gateway. All network traffic will be routed towards the gateway of hackers choice. Another way of manipulating the situation is to assign a fake DNS server settings to the workstations. Attacker will be able to control all the name resolution and internet browsing after this.

Advance hackers may use WPAD  Web Proxy Auto Discover record to control all web related traffic through a illegit proxy server. Imagine user opens his internet banking and WPAS presents a dummy banking website. Next user does the fund transfer or credit card payment. Or user open any website, it askes to authenticate (provide NTLM/AD credentials). A common user will think, server is trying to authenticate his identity. He gives username/password. This will be even bigger problem now. Similarly VOIP devices or phones can be registered in IP telephony exchanges using DHCP options and telephone calls can be manipulated.

Problems do not end here. Not only such DHCP spoofing attack assign a dummy IP configuration to a legit workstation for the first time. But also renew same IP in future. As a result workstation becomes permanent victim of attacker.

How to Secure from DHCP Spoofing

Unfortunately there is no quick solution of DHCP spoofing attack. However these are few recommendations that will help to minimize the attack surface of DHCP.

1. The best way is to define trusted ports over the network devices for DHCP server traffic only.
2. Apply rate limit for DHCP packets on network devices.
3. Monitor your DHCP traffic over the network.
4. Document you network devices especially routers/switches etc. It will help to quickly track unidentified devices.
5. Place honeypots to detect rogue DHCP servers.
6. Find and fix IP duplication. Sometimes rouge DHCP use same IP scheme.
7. Always use active directory authorized DHCP servers.

DHCP Starvation

In DHCP starvation, a hacker floods DHCP server with bulk request as a result DHCP server is exhausted and unable to respond the original clients. Hence becomes victim of denial of service (DoS) attack. Now imagine an attacker launches DHCP starvation first and DHCP spoofing attack later. It will make sure original DHCP server can not serve and rouge DHCP is in full swing, ready to give IP to everyone. All new client successfully exploited with 100% certainty. Finally we will force again, solution is better network traffic monitoring can help in identifying bulk requests.

Now you understand DHCP spoofing. Lastly if you are new administrator and want to learn fundamentals of DHCP service You learn “What is DHCP Server” and read more articles on this topic.