A DHCP starvation attack works by broadcasting DHCP requests with spoofed
MAC addresses
. This is easily
achieved with attack tools such as gobbler. If enough requests are sent, the
network attacker can exhaust the address space available to the DHCP servers
for a period of time. This is a simple resource starvation attack, similar to
how a SYN flood is a starvation attack. The network attacker can then set up a
rogue DHCP server on their system and respond to new DHCP requests from clients
on the network.
Exhausting all of the DHCP addresses is not required to
introduce a rogue DHCP server. As stated in RFC 2131:
"The client collects DHCPOFFER messages over a period of
time, selects one DHCPOFFER message from the (possibly many) incoming DHCPOFFER
messages (for example, the first DHCPOFFER message or the DHCPOFFER message
from the previously used server) and extracts the server address from the
`server identifier' option in the DHCPOFFER message. The time over which
the client collects messages and the mechanism used to select one DHCPOFFER are
implementation dependent."
By placing a rogue DHCP
server on the network, a network attacker can provide clients with addresses
and other network information. Since DHCP responses typically include default
gateway and DNS server information, the network attacker can supply their own
system as the default gateway and DNS server resulting in a man-in-the-middle
attack.