DHCP servers hand out IP addresses to new devices. But the pool of addresses is finite (e.g., 253 addresses). What if one malicious device asks for ALL of them?
1. The Mechanisms
The attacker runs a script (like Yersinia) that broadcasts thousands of DHCP DISCOVER packets, each with a fake MAC address. The DHCP server dutifully assigns an IP to each fake MAC. Within seconds, the pool is empty.
Legitimate users trying to connect get no IP. They cannot access the network.
2. Rogue DHCP Server
Once the real server is starved, the attacker sets up their OWN DHCP server. The attacker hands out their own IP as the Gateway and DNS Server. Now, they control all traffic from new victims.
3. The Fix: DHCP Snooping
Switches can be configured to trust only specific ports (uplinks) for DHCP OFFER packets. If a DHCP OFFER comes from a user port, the switch drops it instantly.