LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the two types of DHCP attacks, and how does DHCP snooping prevent both?

DHCP (Dynamic Host Configuration Protocol) starvation exhausts all available leases (DoS (Denial of Service)). DHCP spoofing places a rogue server on the network to provide false gateway/DNS (Domain Name System) info (MitM (Man-in-the-Middle)). DHCP snooping blocks both by classifying ports as trusted or untrusted.

Starvation (Gobbler) and spoofing (rogue server), both blocked by DHCP snooping.

* DHCP starvation vs spoofing, blocked by snooping. *

DHCP Starvation Attack:

  • Attacker uses a tool like Gobbler to send thousands of DHCP Discover messages with random (bogus) MAC (Media Access Control) addresses
  • Each Discover appears to be from a different client
  • The DHCP server assigns a lease for each → all available addresses are consumed
  • Legitimate clients send DHCP Discover but get no response — they can't join the network
  • This is a Denial of Service attack

DHCP Spoofing Attack:

  • Attacker connects a rogue DHCP server to the network
  • When clients send DHCP Discover broadcasts, the rogue server responds (often faster than the legitimate server)
  • The rogue server provides:
    • Wrong default gateway → attacker's IP (Internet Protocol) → man-in-the-middle
    • Wrong DNS server → attacker's DNS → can redirect any website
    • Wrong IP address → can cause IP conflicts or DoS

How DHCP Snooping prevents both:

  • Ports are classified as trusted (uplinks to legitimate DHCP server) or untrusted (all access ports)
  • Untrusted ports: Only DHCP client messages (Discover, Request) are allowed; DHCP server messages (Offer, Ack) are blocked
  • Rate limiting on untrusted ports prevents starvation: ip dhcp snooping limit rate 6
  • Builds a binding table mapping IP → MAC → Port → VLAN (Virtual Local Area Network) → Lease time
  • This binding table is used by DAI (Dynamic ARP Inspection) and IP Source Guard

Go deeper:

  • doc DHCP snooping (Wikipedia) — trusted/untrusted ports and the binding database that block rogue servers and starvation traffic.

From Quiz: NETW2 / LAN Security Concepts | Updated: Jul 05, 2026