Standard attack pattern

Stable

CAPEC-697: DHCP Spoofing

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

Last updated June 1, 2026

High

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing. An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations. To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.
- Adversary observes LAN traffic for DHCP solicitations
Step 2
Experiment
[Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages.
- Adversary captures and responds to DHCP "DISCOVER" messages tailored to the target subnet.
Step 3
Exploit

[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

Adversary sends repeated DHCP "REQUEST" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.

What the attacker needs

Prerequisites

The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.

Skills required

Medium skill: The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.

Resources required

The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.

Consequences

What a successful CAPEC-697 attack can achieve.

Read Data

Affects: Confidentiality, Access Control

Modify Data, Execute Unauthorized Commands

Affects: Integrity, Access Control

Resource Consumption

Affects: Availability

How to mitigate it

Defenses that reduce the risk of CAPEC-697.

Design: MAC-Forced Forwarding
Implementation: Port Security and DHCP snooping
Implementation: Network-based Intrusion Detection Systems

Examples

In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]

Terminology & mappings

Mapped taxonomies

ATTACK: Adversary-in-the-Middle: DHCP Spoofing (1557.003)

Frequently asked questions

Common questions about CAPEC-697.

What is CAPEC-697?

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

How does a DHCP Spoofing attack work?

It typically unfolds over 3 phases. It begins with: [Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

How do you prevent CAPEC-697?

Design: MAC-Forced Forwarding

What weaknesses does CAPEC-697 target?

CAPEC-697 exploits 1 CWE weakness, including CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints).

How severe is CAPEC-697?

MITRE rates CAPEC-697 as High severity with low likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-697

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing