In a DHCP starvation attack, an attacker creates spoofed DHCP requests with the goal of consuming all available IP addresses that a DHCP server can allocate. This attack targets DHCP servers. The attack could deny service to authorized network users. In other words, a malicious cyberattack that targets DHCP servers is known as a starvation attack. An adversarial actor bombards a DHCP server with false DISCOVER packets during a DHCP assault until the service runs out of IP addresses. Once that occurs, the attacker can refuse service to authorized network users or even provide a different DHCP connection that can result in a Man-in-the-Middle (MITM) attack.
DHCP Process:
- It is the role of the Dynamic Host Configuration Protocol server is to assign IP addresses to networked devices. To do this, each DHCP client and DHCP server exchange packets.
- The four packet types that make up the DHCP IP address assignment operation are DISCOVER, OFFER, REQUEST, and ACKNOWLEDGMENT. If the PC is a DHCP client, it will send a DHCP DISCOVER packet when it first connects to the network. This basically boils down to a PC saying, “I just got here, hi! A Dynamic Host Configuration Protocol server that can assign IP addresses is what I’m looking for.”
- If you imagine a client on your network connecting to a nearby server, you can imagine the server responding with an OFFER. Also, as part of this offer, you will be provided with a client-approved IP address. In fact, that server responded, “Welcome, I can give you a little spot on 10.123.0.1. Are you interested?”
- The maximum number of IP addresses that can be pooled on a /24-bit network is 254.
Some of these addresses may be kept as static router addresses or for other purposes. Therefore, the DHCP server’s pool of available addresses can only contain about 252 IP addresses. - The DHCP server selects one of the available IP addresses from the pool and reserves it for new clients when it receives a DISCOVER packet.
- The client should return the REQUEST after receiving the OFFER packet. Basically, the client said, “That’s really ideal. Can you grant me exclusive access to 10.123.0.1 while I’m here?”
- The transaction is complete when the server sends an ACKNOWLEDGMENT packet to the client and all other listeners. This basically says “You are currently on 10.123.0.1. It will be held on 10.123.0.1 in case someone needs to contact this client.”
- The DHCP setup is a productive technique that allows customers to join and leave networks in a non-hostile configuration.
Working:
The DHCP starvation attack uses this system.
- In a DHCP starvation attack, a malicious actor sends a flood of fictitious DISCOVER packets, depleting the entire pool of available packets, which he determines to the DHCP server.
- The customer looked up the IP address and found none available and was turned down. You may even look for alternative DHCP servers that may be provided by hostile actors. This hostile actor can now see all the traffic that the client is sending or receiving using the IP address as hostile or spoofed.
- A computer broadcasting a DHCP DISCOVER packet could be in a hostile environment if a malicious computer uses a tool like Yersinia.
- This malicious client sends hundreds, not a handful, of malicious DISCOVER packets, using a bogus and hoaxed MAC address as the source MAC address for each request.
- When a DHCP server responds to each of these spoofed DHCP DISCOVER packets, the entire IP address pool is depleted and its DHCP server runs out of IP addresses to serve valid DHCP requests.
- Once the DHCP server has exhausted IP addresses, the attacker will then typically turn on their own DHCP server. This malicious DHCP server then starts handing out IP addresses.
- The advantage for the attacker is that if the fake DHCP server uses the IP address along with the default output DNS and gateway information, any client using these IP addresses and starting to use this default gateway will not be able to access the attacker’s computer. One adversary actor is all that is needed for a man-in-the-middle (MITM) attack to succeed.
Functions of DHCP Starvation Attack:
- When a DHCP server is overloaded with requests for IP addresses from legitimate clients, it suffers from a DHCP starvation attack, which results in a denial of service (DoS). After a DHCP exhaust attack, a man-in-the-middle (MITM) attack attempt is frequently launched.
- After the DHCP server has handed out all IP addresses, what happens when a new DHCP client needs or wants an IP address and joins the network? DoS or Denial of Service is the obvious answer. No IP addresses are available.
- For this reason, after a DHCP starvation attack, attackers often come back with their own DHCP server and start handing out IP addresses. And cause more disruption to user traffic. Specifically, if an attacker performs a man-in-the-middle attack, in this case, traffic from devices trying to leave the subnet will pass through the attacker’s device. The attacker is in the path of the intended target.
Mitigation:
Attacks using DHCP starvation are easy to implement. Port security is a way to mitigate the effects of this type of attack. Avoid DHCP starvation attacks with advanced cybersecurity training. Your network is instantly vulnerable to DHCP exhaustion attacks. The key to preventing such attacks and maintaining network security is finding ways to prevent hostile actors from flooding DHCP servers with forged DISCOVER packets, preventing them from offering IP addresses to legitimate clients.