08. DHCP (Dynamic Host Configuration Protocol)

  • Automates the assignment of IP addresses and network configurations.
  • Operates over UDP.
  • Clients send to port 67 (DHCP server).
  • Servers reply to port 68 (DHCP client).

DORA process:

  1. Discover: a client without an IP address needs to find a DHCP server.
    • Broadcasts a DHCPDISCOVER message.
    • Packet has xid (random transaction ID) and chaddr (client hardware/MAC address).
  • Offer: all DHCP servers on the LAN receive the message.
    • Responds with a unicast DHCPOFFER message.
    • Packet has xid (must match request), yiaddr (“your” IP address), Options (subnet mask, default gateway IP, DNS server IPs, lease duration).
  • Request: client chooses one offer.
    • Broadcasts a DHCPREQUEST message, so unchosen servers also know that they’re rejected.
    • Packet has xid (again, must match request), Requested IP address, Server Identifier (IP address of DHCP sever).
  • Acknowledge: finalizes the transaction.
    • Sends a unicast DHCPACK message.
    • Packet has xid (must match request), yiaddr (“your” IP address), Options (subnet mask, default gateway IP, DNS server IPs, lease duration).

Renew:

  • When 50% of the lease time has expired (T1 timer), the client will send a unicast DHCPREQUEST directly to the server to ask for a renewal.
  • If the server is available, it responds with a DHCPACK to extend the lease.

Release: When a client is shut down gracefully, it should send a DHCPRELEASE message to the server.

DHCP Vulnerabilities

Lacks authentication, like ARP.

  • DHCP Starvation: attacker exhausts the server’s IP pool with spoofed, continuous requests.
  • DHCP Spoofing: rogue server provides malicious configuration (e.g. a malicious gateway/DNS server).
  • Defense (DHCP Snooping):
    • Feature on switches that allows an admin to designate ports as “trusted” or “untrusted”.
    • Switch will drop DHCP offer packets from those ports.

© 2025 All rights reservedBuilt with Flowershow Cloud

Built with LogoFlowershow Cloud