DHCP Starvation: Detection and Prevention


            Networks have become an integral part of today’s society that connect tens of thousands of devices. Each of these devices has its own unique IP address to identify it within its network. These networks can contain massive amounts of devices that all require their own unique IP addresses. Instead of going through each device manually and statically assigning an IP address, there is a protocol that does it automatically. The DHCP protocol allows for the allocation of a range of given IP addresses to any device on the same network. And while this saves a large amount of time, it does not come without its weaknesses and vulnerabilities. DHCP starvation is one common and easy to implement attack that most networks will face at some point. To understand what a DHCP starvation attack is and how it can be detected and prevented, it is important to first understand how the DHCP protocol works.


            DHCP, or Dynamic Host Configuration Protocol, is a client/server protocol that automatically issues IP addresses and other related, vital information such as DNS settings and default gateways, subnet masks to devices on a network. This is done through a series of packet exchanges between DHCP clients and DHCP servers. The four types of packets that DHCP utilizes are DISCOVER, OFFER, REQUEST, and ACKNOWLEDGEMENT packets (DORA).

            When a DHCP client initially boots up on a network, it will issue a DHCP DISCOVER packet, which is effectively, “I’m the new kid on the block! Where is a DHCP server that can give me an IP address?” The DHCP server will then respond with an OFFER containing an IP address for the client to use. This can be thought of as the server saying, “Welcome! I have an IP address right here for you, are you interested?” It is also important to know that the DHCP server has a range of addresses that it can allocate. The client will then send a REQUEST back to the server. This REQUEST packet looks something like, “That is a perfect address. Can I have that IP address all to myself while I am here?” Finally, the server sends an ACKNOWLEDGEMENT to the client and all other devices on the network saying, “You are now X.X.X.X, if anyone needs to reach the client, they are at X.X.X.X.”

DHCP Starvation:

            As mentioned before, a DHCP server has a limited range of IP addresses it can allocate. A DHCP starvation attack is when a threat actor sends a massive amount of fake DISCOVER packets with spoofed MAC addresses as the source, overwhelming the DHCP server. The DHCP server responds to each of these fake DISCOVER packets until it runs out of IP addresses to allocate. This denies any valid clients from obtaining an IP address, which in turn denies them service. This is commonly known as a denial of service (DoS) attack. This may cause clients on the network to look for an alternative DHCP server. While this would be an attack on its own, this is commonly followed up by the threat actor providing their own malicious DHCP server to issue IP addresses. In addition to IP addresses, the threat actor would be able to issue default DNS and gateway information. Now, clients who use those IP addresses as well as the gateway can be routed through the threat actor’s machine, allowing them to read all of the traffic that the client sends and receives. This is what is known as a man-in-the-middle (MITM) attack. These attacks can cause a great amount of damage. Because of that, it is important to be able to detect when they are occurring.


            Wireshark is a great tool to use for detecting DHCP starvation attacks, more specifically DoS attacks and MITM attacks. DoS attacks can often take administrators by surprise, but once they start, administrators should be able to identify the attack through a massive flood of TCP traffic. Wireshark can be filtered for SYN packets without an acknowledgement  using the filter: “tcp.flags.syn == 1 and tcp.flags.ack == 0”. The result should look something like this.

Once it is established that there is a DoS attack, there is a chance that there is also a rogue DHCP server that is attempting to issue IP addresses to clients on the network. Wireshark can find this rogue server as well through a series of steps.

  • Step 1: Start a new capture with no filters in Wireshark
  • Step 2: Go to the command promp and type ipconfig /release and ipconfig /renew
  • Step 3: Save the capture and begin to look through
    • Use the “bootp” filter to view all DHCP messages
  • Step 4: Find an “Offer” packet, after selecting, go to view > packet details > bootstrap protocol > DHCP message type
    • The reason an Offer packet is selected is because that packet comes from the server
  • Step 5: Right click on the Offer, go to apply as filter > selected
    • A new display filter should have appeared that only shows DHCP Offer messages
  • Step 6: Go to statistics > endpoints > IPv4 > limit to display filter
    • This will show all of the IP addresses that corelate to the filter that Wireshark is using at the moment. In a large environment, this is a good way to find all of the IP addresses you need.

The IP address(es) that show up are the rogue DHCP servers that are on the network. This is known because of the command prompt commands executed earlier. After releasing the IP address and renewing, the DHCP server sends an offer packet with an IP address, and since the original DHCP server is unable to issue any IP addresses, these other DHCP servers must be malicious. The IP address of the legitimate DCP server can be seen by looking at the DHC Release packet’s destination address.

Detecting these attacks is not enough, however. Knowing that the attack is happening means nothing if there is not a way to combat them.


            One way to prevent a DHCP starvation attack on a network is through port security. Port security is a layer 2 traffic control feature on switches. Switches learn MAC addresses when a frame is forwarded through a switch. By using port security, a limit of the number of source MAC addresses that a port can allow can be set. Penalties can be set for ports as well if an unauthorized user is using the port. The commands restrict, shut down, and port-security can be used to enforce these penalties.

  • Protect: This mode drops the packets with unknown source MAC addresses until enough secure MAC addresses are removed to drop below the maximum value
  • Restrict: This mode performs the same function as protecting, as well as generate a log message, increment the counter value, and send an SNMP trap.
  • Shut down: This mode is the preferred mode compared to protect and restrict as it will shut down the port immediately if there is unauthorized access. It will also generate a log, increment counter value, and send an SNMP trap. The port will remain shut down until an administrator performs the “no shut” command.

Port security can be configured on a switch through the following steps:

  • Use the “config t” command to enter global configuration mode
  • Access the interface that you want port security to be enables on using the command “int {interface}”
  • Use “switchport mode access” to convert the port to an access port
    • For port security to work, the port must be an access port because port security only works on access ports.
  • Finally, use the command “switchport port-security” to enable port security


            Through my research, it has been made clear to me that it is incredibly important to have network and security professionals monitoring for any anomalies that may appear within a network. An attack like DHCP starvation is relatively easy to initiate with tools such as yersinia that allow people, such as me, who are novices at attacking to be able to take down entire networks that are not properly secured. Attacking a network will always be easier than defending it. While the defenders need to get it right every single time, an threat actor only needs to get it right once. Having the proper defenses already implemented before an attack even happens is the best way to defend a network.







Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s