Dynamic Host Configuration Protocol (DHCP) is a network management protocol, running at the application layer and providing an Internet Protocol (IP) host (client) with its IP address, subnet mask, default gateway, etc. DHCP, using User Datagram Protocol (UDP), is an unreliable and an insecure protocol. A rogue DHCP server is not under the control of an administrative staff member or an active DHCP server has not been authorized on the network. When a rogue DHCP server is active, it listens patiently for an unsuspecting client to send a DHCP DISCOVER and DHCP REQUEST. The rouge server responds cordially with DHCP OFFER and DHCP ACKNOWLEDGE to its client with IP configuration (i.e., an invalid IP address, an invalid subnet mask, an invalid default gateway and invalid DNS). The communication, DHCP HANDSHAKE, occurs after a new host boots on a network and before a lease expires. Eavesdropping is a type of man-in-the-middle (MITM) attack or vice versa. MITM threat actors intercept communication between a server and client, using a rouge server or sniffing. MITM type attacks are recurrent, innumerable and Herculean. MITM attacks have different delivery methods that are best suited for network types according to Ornaghi and Valleri’s presentation called Man in the Middle Attacks. The below table references the presentation.
| Local (Internal) | Gateway (Internal to Remote) | Remote (External) |
| ARP poisoning | ARP poisoning | DNS spoofing |
| DNS spoofing | DHCP spoofing | Traffic tunneling |
| Port stealing | DNS spoofing | Route mangling |
| STP mangling | ICMP redirection | |
| IRDP spoofing | ||
| Route mangling |
Address Resolution Protocol (ARP) spoofing requires the threat actor to be on the same subnet as the unsuspecting client.
Resources:
Aupre.com. Zelon Rad. 01 December 2008. Flickr. https//www.flickr.com/photos/shangrilatimes/3076158987/. Accessed 02 January 2018.
Bhaiji, Y. “Understanding, Preventing, and Defending Against Layer 2 Attacks.” 2009, Cisco Expo, https//www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf. 27 December 2017.
Ornaghi, Alberto and Valleri, Marco. “Man in the Middle Attacks.” 2003, Blackhat Conference Europe, https//www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf. Accessed 02 January 2018.
Piscitello, D. “What is a Man in the Middle Attack?” 02 November 2015, ICANN, https//www.icann.org/news/blog/what-is-a-man-in-the-middle-attack. Accessed 02 January 2018.
Rouse, M. “DHCP (Dynamic Host Control Protocol).” 2014, TechTarget, http//searchnetworking.techtarget.com/definition/DHCP. Accessed 02 January 2018.
Sanders, C. “Understanding Man-in-the-Middle Attacks-ARP Cache Poisoning (Part 1).” 17 March 2010, Techgenix, http//techgenix.com/understanding-man-in-the-middle-attacks-arp-part1/. Accessed 02 January 2018.
Shadowjk. “DHCP is a Application layer protocol. why???” 21 June 2014, The Cisco Learning Network, https//learningnetwork.cisco.com/thread/73194. Accessed 02 January 2018.
Telelink. DHCP ATTACKS, 2013, MazeLabs, http://itsecurity.telelink.com/dhcp-attacks/. Accessed 02 January 2018.
Undag, E. “Attack a network by using a rogue DHCP server.” 22 July 2016, Medium Corporation, https//medium.com/tech-jobs-academy/attack-a-network-by-using-a-rogue-dhcp-server-8c8acea315ab. Accessed 02 January 2018.
Nonstop Notary of Georgia 