Dark Deceptions in DHCP: Dismantling

Network Defenses
Robert Dilworth
Department of Computer Science and Engineering
arXiv:2502.10646v1 [cs.CR] 15 Feb 2025

Mississippi State University

Starkville, Mississippi, USA
rkd103@msstate.edu

Abstract—This paper explores vulnerabilities in the particularly how it interacts with the core principles
Dynamic Host Configuration Protocol (DHCP) and of network security.
their implications on the Confidentiality, Integrity,
and Availability (CIA) triad. Through an analysis of
various attacks, including DHCP Starvation, Rogue A. Thesis
DHCP Servers, Replay Attacks, and TunnelVision
exploits, the paper provides a taxonomic classification Despite its widespread adoption, DHCP remains
of threats, assesses risks, and proposes appropriate vulnerable to several forms of attack, some of which
controls. The discussion also highlights the dangers of
can undermine even the most secure systems. The
VPN decloaking through DHCP exploits and under-
scores the importance of safeguarding network infras- TunnelVision exploit, for instance, demonstrates
tructures. By bringing awareness to the TunnelVision how DHCP can be weaponized to bypass VPN se-
exploit, this paper aims to mitigate risks associated curity protocols, exposing sensitive data. This paper
with these prevalent vulnerabilities. aims to provide an in-depth analysis of such vulner-
Index Terms—DHCP Vulnerabilities, Network Se- abilities, focusing on their potential to compromise
curity, VPN Exploits, Positive Unlabeled Learning
the CIA triad and offering practical solutions for
mitigation.
I. I NTRODUCTION
Building on this perspective, it is important to
Dynamic Host Configuration Protocol (DHCP) explore why these vulnerabilities have far-reaching
plays a pivotal role in modern network management implications for network security, especially in rela-
by automating the allocation of IP addresses to tion to the Confidentiality, Integrity, and Availability
devices. However, its simplicity also makes it a of systems.
prime target for attackers seeking to disrupt network
operations. This paper will explore the vulnerabili- B. Justification
ties inherent in DHCP, focusing specifically on the
TunnelVision exploit (CVE-2024-3661) and its pro- The existence of DHCP vulnerabilities poses sig-
found implications on VPN security. By detailing nificant risks to network security. Attacks targeting
these attacks and classifying their risks, we aim DHCP often occur covertly, leaving networks dis-
to highlight how they affect the Confidentiality, In- combobulated and users precariously exposed. By
tegrity, and Availability (CIA) triad, a fundamental highlighting these vulnerabilities, this paper aims
framework for assessing the security of information to obviate their impacts and promulgate awareness.
systems. Given the gravity of these threats, it becomes
With a clear understanding of the significance evident that a comprehensive analysis of specific
and vulnerabilities of DHCP, it is crucial to delve DHCP attack types is necessary to fully grasp the
deeper into the background of the protocol itself, risks and the corresponding solutions.
C. Contributions • CIDR (Classless Inter-Domain Routing): IP
The chief contribution of this paper lies in raising address allocation without fixed classes.
• CVE (Common Vulnerabilities and Expo-
awareness about the TunnelVision DHCP exploit
and its implications for VPN security. Additionally, sures): A database of publicly disclosed vul-
the paper offers a granular classification of DHCP nerabilities.
• DHCP (Dynamic Host Configuration Proto-
attacks, analyzes their risks, and suggests corrective,
detective, and mitigative controls. col): Protocol for dynamically assigning IP
addresses.
D. Paper Outline • DHCPv6 (Dynamic Host Configuration Proto-

This paper is organized into several sections to col for IPv6): DHCP for IPv6 addressing.
• DNS (Domain Name System): Translates do-
systematically address the vulnerabilities within the
Dynamic Host Configuration Protocol (DHCP) and main names to IP addresses.
• HTTPS (Hypertext Transfer Protocol Secure):
their implications on network security. Following
this introduction (Section I), Section II provides Secure version of HTTP.
• IPv6 (Internet Protocol version 6): The most
sufficient background knowledge on the DHCP pro-
tocol and its interaction with the Confidentiality, recent version of the Internet Protocol.
• MITM (Man-in-the-Middle): An attacker inter-
Integrity, and Availability (CIA) triad. In Section
III, we introduce a taxonomic classification of com- cepts and alters communication.
• PPTP (Point-to-Point Tunneling Protocol): A
mon DHCP attacks, including DHCP Starvation,
Rogue DHCP Servers, Replay Attacks, and VPN protocol for creating VPNs.
• VPN (Virtual Private Network): A secure pri-
Decloaking through the TunnelVision exploit. These
attacks are then discussed in detail in Section IV, vate network over the internet.
• WebRTC (Web Real-Time Communication):
where we examine their impact on the CIA triad
and explore corrective, detective, and mitigative Real-time communication over the web.
controls for each. The paper delves deeper into the With these terms clarified, we can proceed to ex-
specific risks posed by the TunnelVision exploit and amine the fundamental workings of DHCP, focusing
its effect on VPN security in Section V. As part on how it facilitates network configuration and the
of ongoing research and future directions, Section potential risks it introduces in the absence of strong
VI explores the application of PU/NU learning security features.
techniques to the detection of TunnelVision attacks,
F. Tables Used Throughout the Paper
offering new perspectives on automated detection
and mitigation strategies for DHCP-related security Several tables have been incorporated throughout
threats. Finally, in the conclusion (Section VII), the the paper to summarize key concepts and provide
paper emphasizes the critical need for heightened detailed insights into the various DHCP attacks
vigilance in securing DHCP and maintaining robust discussed.
defenses against these attacks. • Table I: This table provides an overview
Now that the paper’s structure is laid out, we of the DHCP Starvation Attack, detailing its
can turn to the foundational concepts surrounding definition, impact on the CIA triad, and the
DHCP to ensure a comprehensive understanding of recommended controls to mitigate its effects.
the protocol before diving into the specific vulner- • Table II: This table outlines the Rogue
abilities. DHCP Server Attack, explaining how mali-
cious DHCP servers can compromise network
E. Acronyms Utilized configurations and security. It also discusses
• ARP (Address Resolution Protocol): Maps IP the attack’s implications on Confidentiality,
addresses to MAC addresses. Integrity, and Availability, alongside suggested
• CIA (Confidentiality, Integrity, Availability) mitigation strategies.
 • Table III: This table highlights the Replay III. TAXONOMIC C LASSIFICATION OF DHCP
Attack, focusing on how attackers can re- ATTACKS
play intercepted DHCP packets to impersonate
clients or servers. The table also categorizes Attacks exploiting DHCP vulnerabilities can be
the impact of the attack on the CIA triad and classified as follows:
offers recommendations for countermeasures. 1) DHCP Starvation Attacks: Exhaust IP ad-
• Table IV: This table discusses the TunnelVi- dress pools to deny legitimate client access
sion (VPN Decloaking) Attack, where DHCP [1]–[3].
mechanisms are exploited to bypass VPN se- 2) Rogue DHCP Servers: Deploy malicious
curity. The table addresses the attack’s impact servers to deliver compromised configurations
on the CIA triad and the necessary controls to [1]–[3].
safeguard VPN traffic from such vulnerabili- 3) Replay Attacks: Resend intercepted DHCP
ties. packets to impersonate devices [3].
4) VPN Decloaking (TunnelVision): Exploit
II. BACKGROUND DHCP mechanisms to bypass VPN security
[4].
A. DHCP Fundamentals With this classification framework in place, we
can now examine each attack in detail, starting
DHCP simplifies network management by au-
with the DHCP Starvation Attack, and explore its
tomating IP address allocation, configuration, and
impacts on network functionality and security.
management. The protocol operates through a series
of message exchanges:
IV. D ISCUSSION OF DHCP ATTACKS
• DHCPDISCOVER: Broadcasted by a client to
locate available DHCP servers. A. DHCP Starvation Attack
• DHCPOFFER: Sent by a server offering an IP This attack, indicative of a denial-of-service
address lease. (DoS) approach, inundates the DHCP server with
• DHCPREQUEST: Used by the client to accept spoofed DHCPDISCOVER requests. By exhausting
the offer. the server’s IP pool, legitimate clients are left with-
• DHCPACK: Sent by the server to confirm the out network access. See Table I.
lease and finalize configuration.
This convenience comes at a cost, as the lack of B. Rogue DHCP Servers
inherent security features makes DHCP vulnerable
In this attack, an attacker sets up a malicious
to various attacks, including DHCP Starvation and
DHCP server, siphoning legitimate client traffic
Rogue DHCP server attacks.
through compromised gateways. See Table II.

B. The CIA Triad C. Replay Attacks

The CIA triad encapsulates the core principles of Such an attack capitalizes on vulnerabilities in
cybersecurity: Confidentiality, Integrity, and Avail- the DHCP protocol where session information lacks
ability. DHCP attacks often undermine these prin- nonces or unique identifiers. By capturing and re-
ciples, necessitating robust controls to safeguard transmitting legitimate packets, attackers can imper-
network assets. sonate clients or servers, leading to unauthorized ac-
Having established a foundational understanding cess, network disruption, and data exposure. These
of DHCP and the CIA triad, it is now necessary attacks are particularly insidious because they often
to categorize and discuss the various attack vectors go undetected during routine network operations.
that exploit these vulnerabilities. See Table III.
 TABLE I
OVERVIEW OF DHCP S TARVATION ATTACK

Category Details
Definition Attackers exhaust the server’s IP address pool by flooding it with DHCPDISCOVER
requests using spoofed MAC addresses. This prevents legitimate users from obtaining
IP addresses, causing a Denial-of-Service (DoS).
Impact on CIA Triad Confidentiality: Limited impact unless combined with other attacks.
Integrity: Spoofed MAC addresses undermine trust in DHCP assignments.
Availability: Severely impacted as legitimate clients cannot obtain IP addresses.
Controls Corrective: Configure IP address thresholds.
Detective: Monitor unusual DHCP request patterns.
Mitigative: Employ DHCP snooping on switches.

TABLE II
OVERVIEW OF ROGUE DHCP S ERVERS

Category Details
Definition A rogue server issues malicious configurations, such as redirecting traffic to attacker-
controlled gateways or DNS servers. This enables man-in-the-middle (MITM) attacks,
phishing, and traffic interception.
Impact on CIA Triad Confidentiality: Traffic interception enables data theft.
Integrity: Malicious configurations distort network routing.
Availability: Misconfigured clients experience service disruptions.
Controls Corrective: Validate DHCP server configurations.
Detective: Use network anomaly detection tools.
Mitigative: Implement ARP binding and DHCP snooping.

TABLE III
OVERVIEW OF R EPLAY ATTACKS

Category Details
Definition Replay attacks exploit the absence of nonces in DHCP communications. An attacker
captures legitimate DHCP packets and retransmits them to masquerade as a valid client
or server. This allows unauthorized network access and potential traffic manipulation.
Impact on CIA Triad Confidentiality: Unauthorized access exposes sensitive information during packet
interception.
Integrity: Manipulation of replayed packets disrupts routing and can inject malicious
data.
Availability: Repeated replays can overwhelm servers, causing delays or service
unavailability.
Controls Corrective: Authenticate DHCP communications using session-based nonces or times-
tamps.
Detective: Monitor network traffic for duplicate DHCP requests using intrusion detec-
tion systems (IDS).
Mitigative: Implement DHCP authentication options such as Option 82 or adopt secure
extensions like DHCPv6.
D. VPN Decloaking (TunnelVision) the CIA Triad that underpin modern security frame-
TunnelVision exploits DHCP to redirect VPN works.
traffic through attacker-controlled routes, thwarting
B. A Seed of Paranoia for Privacy Advocates
encryption and anonymity. See Table IV.
Following this discussion of individual attack The discovery of this exploit sows the seeds
types, it is critical to focus specifically on the of paranoia in anyone concerned with their digital
TunnelVision exploit. This attack exemplifies a privacy. When a VPN–considered the last bas-
particularly sophisticated manipulation of DHCP, tion of security–fails, users are left vulnerable to
bypassing the security measures of VPNs. their device’s baseline encryption protocols, such as
HTTPS. If these protections falter, the implications
V. T HE T UNNELV ISION E XPLOIT: A are stark: passwords, financial transactions, and
F RIGHTENING P ROSPECT FOR VPN S ECURITY private communications are exposed in plain text.
The TunnelVision exploit, as detailed by [4], is To put it bluntly, the failure of VPN security renders
a glaring reminder of the fragile boundary between users irrevocably “pwned.”
security and exposure in our hyperconnected world. [4] emphasizes that this attack is not an esoteric
By leveraging DHCP vulnerabilities, this attack cir- proof-of-concept but a feasible strategy that exploits
cumvents the encrypted tunnels that VPNs rely on, standard DHCP functionality. The deliberate design
exposing user traffic to a rogue DHCP server under of option 121 allows attackers to selectively di-
the attacker’s control. It is a sobering development vert traffic, bypassing VPN tunnels with surgical
in network security, signaling a seismic shift in how precision. Combined with the findings of [5], it is
adversaries can undermine even the most trusted clear that VPNs are not invulnerable. Their security
privacy measures. depends on meticulous configuration and constant
vigilance, as missteps can lead to devastating conse-
A. Breaking the Tunnel, Breaching the Trust quences, including de-anonymization and data theft.
For years, Virtual Private Networks (VPNs)
have been marketed as the cornerstone of privacy, C. Implications and Countermeasures
promising encrypted communication and anonymity The TunnelVision exploit starkly highlights the
against prying eyes. However, as highlighted by broader vulnerabilities in network protocols. Its
[5], these promises are often contingent on precise success demonstrates that VPNs alone are insuf-
configurations. The moment users neglect to verify ficient to ensure privacy. As [5] notes, attackers
server certificates or disable IPv6, they unknow- increasingly exploit VPN misconfigurations and
ingly expose themselves to a gamut of threats, ancillary leaks like DNS or WebRTC to expose
including DNS leaks and MITM attacks. The Tun- sensitive information. TunnelVision capitalizes on
nelVision exploit takes this one step further, not these weaknesses, effectively using DHCP as a
merely bypassing misconfigurations but fundamen- trojan horse to dismantle encrypted communication
tally dismantling VPN integrity through DHCP ma- channels.
nipulation. Addressing this requires a multi-layered ap-
In the TunnelVision attack, the adversary first sets proach. Users must adopt VPN solutions that rigor-
up a rogue DHCP server, using techniques such ously enforce route integrity, including safeguards
as DHCP Starvation or ARP spoofing to ensure against arbitrary route injection. System adminis-
their responses reach the targeted client first. By trators can mitigate such risks by implementing
exploiting DHCP option 121, the attacker injects DHCP snooping and using MAC binding to prevent
routes into the client’s routing table, effectively unauthorized DHCP servers from operating within
rerouting VPN-bound traffic back into the attacker’s the network. Additionally, promoting best practices
network. This results in catastrophic breaches of such as routinely updating VPN software, enabling
Confidentiality, Integrity, and Availability–pillars of necessary protocols like kill-switches, and enabling
 TABLE IV
OVERVIEW OF VPN D ECLOAKING (T UNNELV ISION )

Category Details
Definition Moratti et al. [4] detail how attackers use DHCP option 121 to manipulate VPN
traffic. By configuring routes more specific than /0 CIDR ranges, attackers bypass
encrypted tunnels, forcing traffic through rogue gateways. This exposes sensitive data
to interception and modification.
Impact on CIA Triad Confidentiality: Exposes VPN-encrypted traffic.
Integrity: Allows malicious route manipulation.
Availability: Potential disruptions in VPN connectivity.
Controls Corrective: Harden DHCP client configurations.
Detective: Monitor DHCP traffic for anomalies.
Mitigative: Use static routes where feasible.

DNS leak protection can close potential attack vec- security vulnerability that allows attackers to bypass
tors. VPN encapsulation by exploiting DHCP (Dynamic
Host Configuration Protocol) functionality. Specif-
D. A Bell of Awakening for Secure Communications ically, the exploit leverages DHCP option 121 to
The TunnelVision exploit is more than just a inject malicious routing rules into the victim’s net-
CVE curiosity–it is a wake-up call. It underscores work stack, leading to the decloaking of the victim’s
the urgent need to revisit the foundational assump- VPN. This attack causes some of the victim’s
tions of network security. VPNs, long hailed as traffic to bypass the encrypted VPN tunnel, making
the panacea for privacy concerns, are now revealed sensitive data vulnerable to interception.
to be fragile constructs susceptible to protocol- An attacker can execute the attack by running
level manipulation. Without a concerted effort to a rogue DHCP server on the same network as
address these vulnerabilities, the promise of secure the target. By triggering DHCP lease renewal or
communication will remain an illusion. expiration events, the attacker can push malicious
The TunnelVision exploit highlights the odious routing entries that take precedence over the VPN’s
foibles of relying solely on VPNs for privacy. Its default routes. This makes detection challenging
deployment underscores the importance of under- because DHCP client logs typically contain benign
standing DHCP’s vulnerabilities and biding vigi- lease expiration and installation events, masking the
lance in network design. malicious behavior within seemingly normal traffic.
Detecting such anomalies represents an opportunity
VI. F UTURE W ORK for applying PU/NU learning.
To expand the research on TunnelVision and its 2) Problem Formulation: The core challenge in
detection mechanisms, we introduce the concept detecting TunnelVision exploits lies in identifying
of PU/NU (Positive Unlabeled/Negative Unlabeled) malicious DHCP lease events (positive examples)
Learning. The TunnelVision exploit can be framed among a large number of benign DHCP logs (unla-
as a machine learning problem, where the challenge beled or negative events). DHCP lease logs usually
is detecting malicious DHCP lease events amidst a contain high volumes of legitimate traffic, with
large volume of benign traffic. malicious events occurring rarely. Therefore, this
problem can be formulated as a PU/NU learning
A. TunnelVision (CVE-2024-3661) as a PU/NU task, where the system must distinguish between
Learning Problem benign and malicious lease events with limited
1) Overview of TunnelVision: TunnelVision labeled data.
(CVE-2024-3661) is a recently discovered network 3) Mathematical Formulation: Let:
 5) Adapting NU Learning for Benign Logs: If
L = {l1 , l2 , . . . , ln } (1) a set of benign DHCP lease events can be reliably
labeled, the problem can be reformulated as an NU
represent the set of all DHCP lease logs, where learning task. In this case, let N ⊆ L represent
li ∈ L is an individual lease event related to DHCP the set of known benign lease events (negative
lease expiration or installation. examples), and U = L \ N is the remaining set
of unlabeled events. The objective in NU learning
P ⊆L (2) is to detect positive (malicious) samples from the
is the set of known malicious lease events related unlabeled set.
to TunnelVision (positive examples) and 6) Expected Results and Implementation: By ap-
plying PU and NU learning techniques, we expect
to achieve the following outcomes:
U =L\P (3)
• Improved Detection of TunnelVision At-
is the set of unlabeled logs, which may contain tacks: The model can effectively flag mali-
both benign and malicious events. cious lease events, enabling early detection and
The goal is to build a classifier f : L → {0, 1} preemptive action by network administrators.
where: • Scalable Log Processing: The PU/NU learn-
ing approach allows for the analysis of large
f (li ) = 1 (4) volumes of DHCP lease logs, even when la-
beled data is scarce and malicious events are
indicates that the lease event li is malicious, and infrequent.
• Early Detection: By focusing on subtle
f (li ) = 0 (5) anomalies in DHCP lease behavior, such as
indicates that the lease event li is benign. frequent lease renewals or the use of Option
The risk function R(f ) for this PU learning 121, the system can detect attacks at their early
problem is defined as: stages.
Performance will be evaluated using Precision,
Recall, and F1 -score to balance between detecting
R(f ) = Ex∈P [l(f (x), 1)] + Ex∈U [l(f (x), −1)], true positives (malicious events) and minimizing
(6) false positives.
where l(f (x), y) is a loss function that measures
the difference between predicted and true labels. VII. C ONCLUSION
4) Features of the Logs: Several features of This paper underscores the ascendancy of DHCP
DHCP logs can help distinguish benign events from as both a critical and precarious element in network
malicious ones: management. By ascribing attention to its vulner-
• Lease Expiration Time: A shorter lease ex- abilities, particularly the TunnelVision exploit, we
piration time may indicate malicious activity, hope to squelch the risks these attacks pose.
as attackers could exploit this to force frequent Rather, DHCP’s simplicity and ubiquity make
lease renewals. it indispensable but also a high-value target for
• Option 121 Usage: The presence and fre- attackers. Understanding its vulnerabilities and the
quency of DHCP option 121 are key indicators implications of attacks like TunnelVision is essen-
of TunnelVision attempts. tial for designing secure networks.
• Routing Table Changes: Logs indicating R EFERENCES
changes to the routing table (e.g., the insertion
[1] h30th3r0n3, “Evil-m5project v1.3.6 -
of more specific routes via option 121) may network hijacking.” [Online]. Available:
suggest malicious behavior. https://github.com/7h30th3r0n3/Evil-M5Core2
[2] A. Mikhailov, “Attacks on the dhcp protocol:
Dhcp starvation, dhcp spoofing, and protec-
tion against these techniques.” [Online]. Available:
https://hackmag.com/security/dhcp-hacking/
[3] A. AbdulGhaffar, S. K. Paul, and A. Matrawy, “An analysis
of dhcp vulnerabilities, attacks, and countermeasures,” in
2023 Biennial Symposium on Communications (BSC).
IEEE, 7 2023, pp. 119–124. [Online]. Available:
https://ieeexplore.ieee.org/document/10201458
[4] L. Moratti and D. Cronce, “Tunnelvision (cve-2024-
3661): How attackers can decloak routing-based vpns
for a total vpn leak,” 5 2024. [Online]. Available:
https://www.leviathansecurity.com/blog/tunnelvision
[5] H. Abbas, N. Emmanuel, M. F. Amjad, T. Yaqoob,
M. Atiquzzaman, Z. Iqbal, N. Shafqat, W. B. Shahid,
A. Tanveer, and U. Ashfaq, “Security assessment and
evaluation of vpns: A comprehensive survey,” ACM
Computing Surveys, vol. 55, pp. 1–47, 12 2023. [Online].
Available: https://dl.acm.org/doi/10.1145/3579162