**IOC 25 – DHCP Spoofing**
Category: Network Activity Indicator
IOC Type: Unauthorized DHCP Server / Rogue Network Behavior
Telemetry Origin: Packet Capture (Wireshark), Switch Logs, Network Monitoring Alerts


**Preview / Scope Statement**
This case study focuses specifically on the observed DHCP spoofing behavior, beginning with the appearance of unauthorized DHCP offers originating from a MAC address not matching any known or authorized DHCP servers in the environment. While our analysis centers on the DHCP spoofing activity itself—tracking its manifestation through observable telemetry and system behavior—it is important to recognize that a comprehensive incident investigation would extend beyond this immediate behavior. In practice, the defender would pivot upstream to identify the attacker’s point of access, which could involve a compromised endpoint, unauthorized physical connection, or exploitation of Wi-Fi vulnerabilities (e.g., weak encryption or stolen credentials). For the purposes of this case study, we concentrate on analyzing the DHCP spoofing incident as it presents within the network segment, while acknowledging that a complete forensic workflow would incorporate host-based analysis and access point security review to uncover the full intrusion path.





**1. Attacker Analogy**
Imagine a visitor sneaking into a crowded restaurant, wearing a fake employee badge. They don’t serve food or clear tables, but they subtly redirect the customers to fake service counters where the menus are rigged. Orders are rerouted, payments misdirected, and the real staff remains unaware until complaints pile up.
In the network world, that’s DHCP spoofing. The attacker, armed with rogue DHCP software and a high-speed port (or wireless access), floods the local network with forged DHCP offers. A DHCP offer is a message from a DHCP server responding to a client’s request, providing network configuration details such as IP address, subnet mask, default gateway, and DNS servers. Devices, trusting these fake servers, accept bogus IP configurations: fake gateways, malicious DNS servers, or unreachable subnets. Once misconfigured, clients route their traffic through the attacker’s device or to non-functional gateways.

**2. IOC / Source of Telemetry (Observable and Raw Data)**
Observable Artifact:

SIEM flags a sudden surge of DHCP offers from a MAC address (00:1A:2B:3C:4D:5E) not matching any authorized DHCP servers.

Wireshark capture reveals multiple unsolicited DHCP Offer packets, offering conflicting gateway and DNS server addresses (192.168.1.254).

Switch logs show the suspect MAC broadcasting on multiple VLANs, indicating possible VLAN hopping.

Raw Sample (Switch Log):
[2025-06-03 14:07:55] Port 15: DHCP OFFER detected from unauthorized MAC 00:1A:2B:3C:4D:5E – Assigned gateway: 192.168.1.254, DNS: 10.0.0.10

**3. Triage Framework Declaration**
Triage Type: Network Activity Indicator
Canonical Toolset and Required Sequence:

Nmap Scan: Identify rogue DHCP server by scanning for port 67/UDP and comparing MAC/IP mappings.

Firewall Logs: Detect abnormal DHCP traffic volume and multiple offer responses.

NetFlow Analysis: Confirm excessive traffic from the rogue MAC; track new connections routed through the fake gateway.

Softened Interpretation:
The DHCP flood is a signature move—the network’s guestbook has been rewritten. The attacker offers IP addresses not from hospitality but to misroute, mislead, and misappropriate.

**4. Host Operating System Layer Mapping**
Layer 1 – Process Execution: Not applicable; network-level impact.

Layer 2 – Startup/Persistence: Rogue DHCP may introduce startup scripts or modified lease times on client devices (projected).

Layer 3 – Background Services: Compromised clients may unknowingly interact with the attacker’s DHCP or DNS server.

Layer 4 – Credential Management: Potential harvesting of credentials if fake DNS directs traffic to phishing sites (projected).

Layer 5 – Monitoring/Detection: Alerts from network monitoring tools (SIEM), switch logs; limited host-based visibility.

Layer 6 – Network Communication: Rogue DHCP responses with manipulated gateway and DNS data.

Softened Interpretation:
The host isn’t the source of the storm, but it’s in the eye of it. It obeys the new DHCP without question, unless told otherwise.

**5. Operating System Cross-Layer Interaction Pivots**
Layer 2 → Layer 6: Rogue DHCP may modifify network settings, redirecting communications.

Layer 6 → Layer 4: Phishing sites may harvest credentials as victims obey new DNS rules.

Layer 3 → Layer 5: Background services may generate abnormal logs as they struggle to connect.

Softened Interpretation:
One wrong DHCP setting is a lever—push it, and multiple layers react. It’s a domino effect, from network rules to user credentials.

**6. OSI Layer Relevance**
Layer 2 – Data Link: ARP poisoning may complement rogue DHCP activity.

Layer 3 – Network: Conflicting IP assignments disrupt routing.

Layer 4 – Transport: New TCP sessions routed through attacker’s device.

Layer 7 – Application: Users redirected to malicious sites via manipulated DNS.

Softened Interpretation:
It starts at Layer 2 but climbs the stack. The fake gateway sets the stage for misdirection at every layer above.

**7. Attacker Behavior Interpretation (Narrative)**
This attacker isn’t blasting ports—they’re whispering instructions. Their rogue DHCP server whispers offers faster than the legitimate ones, tricking devices into accepting fake configurations. By controlling DHCP, they control the client’s worldview: its IP, its gateway, its DNS. It’s a quiet hijack. They’re likely monitoring how many clients respond, adjusting their fake offers, and waiting for the chance to sniff credentials, inject malware, or reroute sessions. The network’s own trust becomes its weakness.

**8. Defender Action Summary (Narrative)**
Detection starts with DHCP monitoring: spikes in offers, conflicting lease assignments, or unknown MACs. Wireshark confirms the rogue with unsolicited offers. Switch logs link the activity to a physical port. Containment means shutting down the rogue port or device, verifying DHCP server integrity, and auditing lease assignments. Rotate gateway and DNS settings. Review firewall and NetFlow for affected clients. Educate staff on network hygiene and enforce VLAN separation to limit rogue reach.

**9. Attacker Strategy Notes (Narrative)**
This attacker is tactical. They exploit DHCP’s open nature, knowing networks often lack offer validation. By injecting rogue offers, they gain control over routing and name resolution. It’s not about flooding the network—it’s about subtle control. They aim for credentials, session hijacks, or simply causing disruption. Their weapon is trust; their shield is speed.

**10. Who’s Who – Object Role Clarification**
Object	Role
DHCP	Dynamic Host Configuration Protocol – assigns IP configs to clients
Rogue DHCP	Unauthorized DHCP server controlled by attacker
Wireshark	Packet analysis tool, detects rogue DHCP offers
NetFlow	Tracks network sessions and volumes
Switch Logs	Show MAC addresses, ports, and traffic anomalies

**11. Conclusion / README**
This case illustrates a classic but potent attack: rogue DHCP server injection. The attacker doesn’t need malware—just a faster offer, and your clients obey. Detection depends on vigilant monitoring: sudden DHCP surges, strange gateway settings, or DNS reroutes. The attacker’s goal is control: rerouting traffic, harvesting credentials, or causing chaos. For defenders, the lesson is clear: secure DHCP infrastructure, enforce VLAN segmentation, monitor network anomalies, and educate users. One unauthorized DHCP offer can reset your network’s trust.

