One of the ways for an attacker to can gain access to network traffic is to
spoof responses that would be sent by a valid DHCP server. The DHCP spoofing
device replies to client DHCP requests. The legitimate server may reply as well
but if the Spoofing device is on the same segment as the client, its reply to
the client may arrive first. The intruder’s DHCP reply offers an IP address and
supporting information that designates the intruder as the default gateway or
DNS server. In the case of a gateway, the clients will then forward all packets
to the attacking device, which will in turn send them to the desired
destination. This is referred to as a "man-in-the-middle" attack and
it may go entirely undetected as the intruder intercepts the data flow through
the network.
DHCP spoofing attack sequence, is shown in Figure
. The table in
Figure
describes what is happening in Figure
.