Faculty of Computer Sciences and Informatics

Department of Cybersecurity

DHCP spoofing and starvation

Network Monitoring and documentation
Dr. Mohammad Alshinwan
20212
Overview of DHCP
• Dynamic Host Configuration Protocol (DHCP) is an application layer protocol used to
distribute network configuration parameters, such as IP addresses, subnet masks,
default gateways, etc. to hosts on a TCP/IP network. Assigning network
parameters using DHCP reduces the amount of work of a network administrator, since
there is no need to statically configure parameters on each device.
• DHCP employs a client-server architecture; a DHCP client is configured to request
network parameters from a DHCP server. A DHCP server is configured with a pool of
available IP addresses and assigns one of them to the DHCP client. Besides IP
addresses, a DHCP server can provide some additional network parameters, such as:
• Subnet mask
• Default gateway
• Domain name
• DNS server
Process of DHCP
• As you can see from the picture above, a DHCP client goes through the four-step
process:
1. 1. A DHCP client sends a broadcast packet (DHCPDiscover) to discover DHCP servers
on the network.
2. 2. The DHCP server receives the DHCPDiscover packet and respond with a DHCPOffer
packet, offering IP addressing information to the DHCP client.
3. 3. The DHCP client responds by broadcasting a DHCPRequest packet, requesting network
parameters from the DHCP server (If there is more than one DHCP server on the
network segment and the DHCP client receives more than one DHCPOffer packets, the
client will accept the first DHCPOffer packet.)
4. 4. The DHCP server approves the lease with a DHCPACK (Acknowledgement) packet.
The packet includes the lease duration and other configuration information.
DHCP starvation attack
• In a DHCP starvation attack, an attacker broadcasts large number of DHCP REQUEST messages
with spoofed source MAC addresses. If the legitimate DHCP Server in the network start
responding to all these bogus DHCP REQUEST messages, available IP Addresses in the DHCP
server scope will be depleted within a very short span of time.
• Once the available number of IP Addresses in the DHCP server is depleted, network attackers can
then set up a rogue DHCP server and respond to new DHCP requests from network DHCP clients.
By setting up a rogue DHCP server, the attacker can now launch DHCP spoofing attack.
DHCP spoofing attack
• After a DHCP starvation attack and setting up a rogue DHCP server, the attacker can
start distributing IP addresses and other TCP/IP configuration settings to the network
DHCP clients.
• TCP/IP configuration settings include Default Gateway and DNS Server IP addresses.
• Network attackers can now replace the original legitimate Default Gateway IP Address
and DNS Server IP Address with their own IP Address.
• Once the Default Gateway IP Address of the network devices are is changed, the
network clients start sending the traffic destined to outside networks to the attacker's
computer.
• The attacker can now capture sensitive user data and launch a man-in-the-middle
attack. This is called as DHCP spoofing attack. Attacker can also set up a rogue DNS
server and deviate the end user traffic to fake web sites and launch phishing attacks.
LAB
• Yersinia
Now ping from the PC to the router. (should not be working!)

Use this command to forward the packet to the router:

Sudo sysctl –w net.ipv4.ip_forward=1

No ping aging to the router, it’s will be work.

If the ping slow to the router, close the Yersinia
• Open up the Wireshark.