Understanding DHCP in Cybersecurity

Dynamic Host Configuration Protocol (DHCP) is one of the foundational services in computer networking. It automatically assigns IP addresses and other network configuration parameters (such as DNS servers and default gateways) to devices, enabling them to communicate without manual setup.

But while DHCP makes network management easier, it also introduces potential security risks. Let's explore how it works, the red team (attacker) perspective, and the blue team (defender) strategies to secure it.

How DHCP Works

When a device connects to a network, it follows the DORA process:

  1. Discover - The client broadcasts a request looking for a DHCP server.
  2. Offer - A DHCP server responds with an available IP address.
  3. Request - The client requests to use that IP.
  4. Acknowledge - The server confirms the lease.

This automated system reduces configuration overhead but can be abused if not properly secured.

Red Team Perspective: Attacking DHCP

Attackers can exploit DHCP in several ways:

1. Rogue DHCP Server

An attacker can set up a fake DHCP server on the network. When clients request an IP, the rogue server responds faster than the legitimate server, providing malicious configuration (e.g., a fake gateway for MITM attacks).

Example: Using dhcpd to configure a rogue DHCP server

# Install DHCP server (Linux example)
sudo apt install isc-dhcp-server
 
# Configure rogue DHCP server (/etc/dhcp/dhcpd.conf)
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
  option routers 192.168.1.50;       # Attacker-controlled gateway
  option domain-name-servers 8.8.8.8, 8.8.4.4;
}

2. DHCP Starvation Attack

An attacker floods the DHCP server with fake requests, exhausting its pool of IP addresses, preventing legitimate clients from connecting.

Example: DHCP starvation using yersinia

sudo yersinia -I
# Select DHCP and launch starvation attack

Blue Team Perspective: Defending DHCP

Defenders must ensure DHCP is both available and trusted.

1. DHCP Snooping

Enable DHCP Snooping on switches to allow only trusted ports to respond to DHCP requests.

Cisco Example:

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping trust

2. IP Source Guard

When combined with DHCP Snooping, it blocks packets from hosts using unauthorized IPs.

Switch(config)# interface GigabitEthernet0/2
Switch(config-if)# ip verify source

3. Monitoring & Logging

  • Monitor unusual DHCP traffic with IDS/IPS (e.g., Snort/Suricata).
  • Log DHCP requests and track anomalies.

Example Suricata rule to detect rogue DHCP offers:

alert udp any 67 -> any 68 (msg:"Suspicious DHCP Offer Detected"; sid:100001;)

Best Practices

  • Restrict DHCP servers to dedicated VLANs.
  • Enable DHCP Snooping and IP Source Guard.
  • Use network access control (NAC) to authenticate clients.
  • Monitor for abnormal DHCP traffic patterns.

Conclusion

DHCP is critical for network operations, but it's also a prime target for attackers.

  • Red teams can exploit it with rogue servers or starvation attacks.
  • Blue teams must harden DHCP with snooping, access controls, and monitoring.

By understanding both perspectives, organizations can balance functionality with security.

Love it? Share this article: