DHCP: The Key Service of Your LAN and a Layer 2 Target

By /

Listen to this Post

Featured Image
DHCP (Dynamic Host Configuration Protocol) is essential for network operations, automating IP address assignment. Without it, devices wouldn’t get IPs, gateways, or DNS settings. However, DHCP is also a prime target for Layer 2 attacks.

How DHCP Works (DORA Process):

  1. Discover – Client broadcasts a DHCP Discover message.
  2. Offer – DHCP server responds with an Offer (IP, subnet, gateway).

3. Request – Client requests the offered IP.

4. Acknowledge – Server confirms the lease.

  1. Release – Client releases the IP when done.

💣 Common DHCP Attacks:

  • DHCP Spoofing: A rogue DHCP server sends faster offers, redirecting traffic (MITM, malicious DNS).
  • DHCP Starvation: Flooding the server with fake requests to exhaust IP pools (DoS).

🛡️ Essential Countermeasures:

  • DHCP Snooping (on managed switches) – Blocks rogue DHCP offers.
  • Port Security – Restricts MAC addresses per port.
  • Rate Limiting – Prevents DHCP exhaustion attacks.
  • MAC Filtering – Allows only trusted devices.

You Should Know:

Linux Commands for DHCP Security:

 Check DHCP leases (Linux) 
cat /var/lib/dhcp/dhclient.leases

Enable DHCP Snooping on a Cisco switch: 
(config) ip dhcp snooping 
(config) ip dhcp snooping vlan 10 
(config) interface gig0/1 
(config-if) ip dhcp snooping trust

Monitor DHCP traffic with tcpdump: 
sudo tcpdump -i eth0 -n port 67 or port 68

Block rogue DHCP servers with iptables: 
sudo iptables -A INPUT -p udp --dport 67 -j DROP 
sudo iptables -A INPUT -p udp --dport 68 -j DROP

Windows DHCP Security:

 List authorized DHCP servers (Windows): 
Get-DhcpServerInDC

Block unauthorized DHCP via PowerShell: 
Set-NetFirewallRule -DisplayName "Block Rogue DHCP" -Enabled True -Action Block -Direction Inbound -Protocol UDP -LocalPort 67,68

Expected Mitigation Steps:

1. Enable DHCP Snooping on all managed switches.

  1. Isolate Untrusted Ports – Only allow trusted DHCP servers.
  2. Log & Monitor DHCP Traffic – Detect anomalies early.
  3. Use Static ARP Binding – Prevent ARP spoofing alongside DHCP attacks.

What Undercode Say:

DHCP is foundational but often overlooked in security hardening. A compromised DHCP server can redirect traffic, intercept data, or cause network outages. Implementing DHCP snooping, rate limiting, and MAC filtering is critical.

Prediction:

As networks evolve with IoT and cloud integration, DHCP attacks will grow more sophisticated. Zero Trust and AI-driven DHCP monitoring may become standard defenses.

Expected Output:

  • Secure DHCP configurations.
  • Logging and real-time monitoring.
  • Regular audits of DHCP leases.

Reference: DHCP Security Best Practices

IT/Security Reporter URL:

Reported By: Nathan Lemaire – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: