DHCP (Dynamic Host Configuration Protocol) is a network protocol (in client/server mode) whose role is to ensure the automatic configuration of the IP parameters of a machine. It is possible to assign an IP address and a subnet mask automatically, but also the default gateway and DNS name servers.
How it works
1/ The device equipped with a network card and having no IP address will send a DHCP DISCOVER packet (on port 67) containing its physical address (MAC) to locate the available DHCP servers.
2/ The server able to answer the request will send a DHCP OFFER packet on port 68 to the client. The packet contains the IP address of the server and the IP address and subnet mask it proposes to the client.
3/ The client selects one of the offers received (the first one it receives) and sends back a DHCP REQUEST packet containing the server's IP address and the proposed IP address. Two actions follow: the server will assign this address and the other servers that have made an offer will be notified.
4/ The DHCP server sends an acknowledgement by sending a DHCP ACK packet. This allows the client to be assigned the IP address, subnet mask, lease duration and possibly the IP address of the gateway, DNS servers and WINS servers.
What is a DHCP lease ?
Dynamic IP addresses are granted for a limited period of time (lease period). As the end of a lease approaches, the client can send a request to extend the lease by sending a DHCP REQUEST packet. On the server side, when there is a lease coming to an end, it will send a DHCP NAK packet to ask the client if it wants to extend its lease. If the server does not receive a response, the lease is not renewed and the IP address will be available again.
DHCP offers the following advantages :
- Reliable IP address configuration
- Reduced network administration
Potential attacks ?
It is possible to introduce an unauthorized DHCP server into the network. When such a server manages to respond to the client first, it may send incorrect data. This makes it possible to perform DHCP Spoofing, i.e. send the client to a fake gateway. Through this gateway, cybercriminals can eavesdrop on traffic and perform a "man in the middle" attack.
DHCP Starvation Attack
This attack consists of exhausting the IP address pool of the DHCP server with a huge number of requests. The attacker sends many DHCP requests with different MAC addresses, which results in using all available IP addresses. All new machines that try to connect to the network will not have an IP. A DHCP Spoofing attack can then be launched.