Does DHCP provide any kind of security? NOPE! It is an admin’s job to use supplemental devices/software’s to prevent it.

2 attacks to look at;

1. DHCP Flooding :- Think about if someone keeps flooding the DHCP requests and the server keeps assigning until the pool is exhausted (Now, how difficult is that?) A tool which can generate random mac addresses in the requests, then it is done!

2. DHCP Serving :- Think of a rogue server giving away IP addresses causing service disruption. Better still, I can have the hosts send packets to choice of his/her Default Gateway and sniff the contents Or hand out incorrect DNS server IP, so that the connections can be redirected to incorrect/forged web sites? Simple enough (a Google search would give out the tools).

So how does one prevent these attacks from happening;

1. Situation 1 (DHCP Flooding) – Modern switches come up with DHCP snooping capabilities where one can restrict the number of mac addresses that can come into a specific ingress port of the switch. Also there are processes to watch over the spurious DHCP requests that seems unusual. The best part is, if you restrict to ONE mac address per port on port security, it can still be circumvented. An attacker can use a tool to use the same mac address, but in the DHCP request packet there is a field to mention the mac address and which is what the DHCP server assigns the IP for (not the original frame mac). So keep changing it and Voila, you’re done!

2. Situation 2 (DHCP Serving) – This is fairly simple to stop, configure switches to make sure “DHCP OFFER” message types do not come out of normal host access ports (Only allow the “DHCP OFFER” to come out from the DHCP server port, normal hosts have no business sending a “DHCP OFFER” message, isn’t it?).

Port Security has more value to it, since if compromised at layer 2, everything up is at stake!