DHCP Spoofing
What is DHCP Spoofing?
DHCP SpoofingAn attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
DHCP spoofing happens when an attacker on the same broadcast domain answers DHCPDISCOVER or REQUEST messages faster than - or instead of - the legitimate DHCP server, delivering a forged DHCPOFFER/ACK. The forged configuration typically sets the attacker as the default gateway and DNS resolver, enabling on-path traffic interception, credential capture, TLS downgrade attempts, or DNS redirection. Spoofing is most effective when combined with DHCP starvation that disables the real server. It is a foundation of many MITM kits, including Ettercap and Bettercap. Defenses: DHCP snooping with trusted ports for real servers, Dynamic ARP Inspection, IP Source Guard, RA Guard for IPv6 equivalents, and network segmentation to limit broadcast domains.
● Examples
- 01
Bettercap's dhcp.spoof module handing out a 192.168.1.66 gateway pointing to the attacker.
- 02
Pushing an attacker DNS (e.g., 198.51.100.10) so HTTP requests are redirected to a phishing site.
● Frequently asked questions
What is DHCP Spoofing?
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients. It belongs to the Attacks & Threats category of cybersecurity.
What does DHCP Spoofing mean?
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
How does DHCP Spoofing work?
DHCP spoofing happens when an attacker on the same broadcast domain answers DHCPDISCOVER or REQUEST messages faster than - or instead of - the legitimate DHCP server, delivering a forged DHCPOFFER/ACK. The forged configuration typically sets the attacker as the default gateway and DNS resolver, enabling on-path traffic interception, credential capture, TLS downgrade attempts, or DNS redirection. Spoofing is most effective when combined with DHCP starvation that disables the real server. It is a foundation of many MITM kits, including Ettercap and Bettercap. Defenses: DHCP snooping with trusted ports for real servers, Dynamic ARP Inspection, IP Source Guard, RA Guard for IPv6 equivalents, and network segmentation to limit broadcast domains.
How do you defend against DHCP Spoofing?
Defences for DHCP Spoofing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DHCP Spoofing?
Common alternative names include: DHCP option spoofing, Fake DHCP reply.
● Related terms
- attacks№ 313
DHCP Starvation
A Layer-2 denial-of-service attack that floods a DHCP server with bogus DISCOVER requests using spoofed MAC addresses until the address pool is exhausted.
- attacks№ 944
Rogue DHCP Server
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 343
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
● See also
- № 1072Spanning-Tree Protocol Attack
- № 363DTP Attack
- № 492HSRP / VRRP Attack
- № 865Promiscuous Mode