DHCP Starvation
What is DHCP Starvation?
DHCP StarvationA Layer-2 denial-of-service attack that floods a DHCP server with bogus DISCOVER requests using spoofed MAC addresses until the address pool is exhausted.
DHCP starvation is a network attack against the Dynamic Host Configuration Protocol. The attacker uses tools such as Yersinia, dhcpstarv, or a custom Scapy script to send a flood of DHCPDISCOVER packets, each with a different spoofed client MAC. The DHCP server allocates leases for each fake client until its pool is depleted, after which legitimate hosts cannot obtain an IP. Starvation often precedes a rogue-DHCP attack: once the legitimate server is exhausted, the attacker can answer subsequent requests with a malicious configuration (default gateway, DNS) to pivot into spoofing or MITM. Defenses: enable DHCP snooping with rate limits on switches, port security limiting MACs per port, ARP inspection, and 802.1X to authenticate endpoints before granting access.
● Examples
- 01
Yersinia 'sending DISCOVER packets' attack against a Cisco DHCP server to drain its scope.
- 02
Combining starvation with a rogue DHCP server to push attacker DNS to new clients.
● Frequently asked questions
What is DHCP Starvation?
A Layer-2 denial-of-service attack that floods a DHCP server with bogus DISCOVER requests using spoofed MAC addresses until the address pool is exhausted. It belongs to the Attacks & Threats category of cybersecurity.
What does DHCP Starvation mean?
A Layer-2 denial-of-service attack that floods a DHCP server with bogus DISCOVER requests using spoofed MAC addresses until the address pool is exhausted.
How does DHCP Starvation work?
DHCP starvation is a network attack against the Dynamic Host Configuration Protocol. The attacker uses tools such as Yersinia, dhcpstarv, or a custom Scapy script to send a flood of DHCPDISCOVER packets, each with a different spoofed client MAC. The DHCP server allocates leases for each fake client until its pool is depleted, after which legitimate hosts cannot obtain an IP. Starvation often precedes a rogue-DHCP attack: once the legitimate server is exhausted, the attacker can answer subsequent requests with a malicious configuration (default gateway, DNS) to pivot into spoofing or MITM. Defenses: enable DHCP snooping with rate limits on switches, port security limiting MACs per port, ARP inspection, and 802.1X to authenticate endpoints before granting access.
How do you defend against DHCP Starvation?
Defences for DHCP Starvation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DHCP Starvation?
Common alternative names include: DHCP pool exhaustion, DHCP DoS.
● Related terms
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 944
Rogue DHCP Server
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
- attacks№ 1072
Spanning-Tree Protocol Attack
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.