DHCP Protocol & DHCP Spoofing

DHCP Protocol Overview

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on
IP networks to automatically assign IP addresses and other configuration parameters to devices
using a client-server model [1].

Layer: DHCP operates at the Application layer in the TCP/IP model and uses UDP as its
transport protocol [2].
Ports: The server uses UDP port 67, and the client uses UDP port 68 [2].

Primary Function

  1. Automatic IP Configuration: Assigns clients IP address, subnet mask, default gateway, DNS,
    lease duration. [2]
  2. Centralized Management: Simplifies network administration—clients need no manual
    network setup. [2]
  3. Lease Renewal: Clients automatically renew or release leases before expiration. [2]

Normal DHCP Operation

  1. DHCP DISCOVER: Client broadcasts DHCPDISCOVER to 255.255.255.255:67.
  2. DHCP OFFER (Unicast/Broadcast): DHCP server(s) reply with DHCPOFFER containing an
    available IP and configuration parameters.
  3. DHCP REQUEST (Broadcast): Client selects one offer, broadcasts DHCPREQUEST to formally
    request it.
  4. DHCP ACK (Unicast): Server sends DHCPACK confirming the lease and providing full
    network settings.

DHCP Vulnerabilities Enabling Spoofing

DHCP Spoofing is a cyberattack in which a malicious actor sets up a rogue DHCP server within
a network to respond to DHCP requests with malicious or misleading configurations.

This is possible because the DHCP protocol lacks authentication mechanisms, trusting any
server that replies to a DHCPDISCOVER message

How does DHCP Spoofing work?

  1. Deploy: The attacker connects a rogue DHCP server (e.g., a laptop, Raspberry Pi, or
    compromised IoT device) to the local network.
  2. Race: When a client broadcasts a DHCPDISCOVER, both the legitimate and rogue servers
    respond. The rogue server may win by responding faster or sending more aggressive offers.
  3. Poison: The rogue server provides malicious network settings in its DHCPOFFER, such as:
    a. Attacker’s IP as the default gateway
    b. Malicious DNS server address
    c. Invalid subnet or routing configuration

Impact

By hijacking DHCP communications, the attacker can reroute network traffic through their own
device, giving them full visibility into—and control over—the data flow. They can also mount a
Denial of Service by bombarding the legitimate DHCP server with bogus requests, depleting its
pool of available IP addresses and blocking service to genuine clients. By tampering with DHCP
messages, the attacker effectively positions themselves as a man-in-the-middle, disrupting
normal traffic paths and paving the way for further malicious actions.

Potential Risk

Understanding the potential Risks of DHCP Spoofing is crucial for maintaining network security.
Here are some risks associated with DHCP Spoofing:

  1. Data Interception: Attackers can intercept sensitive data by positioning themselves as the
    default gateway or DNS server, allowing them to monitor and manipulate network traffic.[3]
  2. Unauthorized Network Access: Rogue DHCP servers can provide incorrect network
    configurations, granting attackers unauthorized access to network resources and sensitive
    information. [3]
  3. Network Disruption: DHCP Starvation attacks can deplete the DHCP server’s pool of IP
    addresses, preventing legitimate devices from connecting to the network and causing
    significant disruption.[3]

Protection Against DHCP Spoofing

To prevent DHCP spoofing attacks, networks can implement the following security measures:

  • DHCP Snooping: Configure network switches to only allow DHCP responses from
    trusted ports.
  • Port Security: Limit the number of MAC addresses per switch port and bind specific
    devices to specific ports.
  • VLAN Segmentation: Separate sensitive devices and services into different VLANs to
    isolate DHCP traffic.
  • IP Source Guard: Used with DHCP snooping to verify IP-to-MAC bindings and block
    spoofed packets.

Reference

[1] Wikipedia Contributors, “Dynamic Host Configuration Protocol,” Wikipedia, Oct. 07, 2019.
[online]. https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol. (accessed July 2,
2025)
[2] GeeksforGeeks, “Dynamic Host Configuration Protocol (DHCP),” GeeksforGeeks, Jan. 03,

  1. [online]. https://www.geeksforgeeks.org/computer-networks/dynamic-hostconfiguration-protocol-dhcp/. (accessed July 2, 2025)
    [3] Twingate, “What is DHCP Spoofing? How It Works & Examples | Twingate,” Twingate.com,
  2. [online]. https://www.twingate.com/blog/glossary/dhcp%20spoofing. (accessed July 2,
    2025)