MAC Address, ARP, and DHCP Vulnerabilities
DHCP starvation attacks

A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses . This is easily achieved with attack tools such as gobbler. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP servers for a period of time. This is a simple resource starvation attack, similar to how a SYN flood is a starvation attack. The network attacker can then set up a rogue DHCP server on their system and respond to new DHCP requests from clients on the network.

Exhausting all of the DHCP addresses is not required to introduce a rogue DHCP server. As stated in RFC 2131:

"The client collects DHCPOFFER messages over a period of time, selects one DHCPOFFER message from the (possibly many) incoming DHCPOFFER messages (for example, the first DHCPOFFER message or the DHCPOFFER message from the previously used server) and extracts the server address from the `server identifier' option in the DHCPOFFER message. The time over which the client collects messages and the mechanism used to select one DHCPOFFER are implementation dependent."

By placing a rogue DHCP server on the network, a network attacker can provide clients with addresses and other network information. Since DHCP responses typically include default gateway and DNS server information, the network attacker can supply their own system as the default gateway and DNS server resulting in a man-in-the-middle attack.


Web Links