
Summary
This rule detects potential DHCP starvation by spotting bursts of DHCP DISCOVER messages that exhibit a high diversity of client MAC addresses on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MACs to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server. The detection is wire-level and OS-agnostic, since it relies on the DHCPv4 DISCOVER event and the client_mac attribute rather than host OS indicators. The rule uses Elastic Query Language (ESQL) to normalize fields, bucket time into 1-minute windows, and compute two signals: the total number of DHCP DISCOVER messages observed (dhcpv4_discover_count) and the number of distinct client MAC addresses (dhcpv4_client_mac_count_distinct) within each window per observer (Esql.observer_hostname). A condition triggers when there are at least 75 DISCOVER messages and at least 50 distinct MAC addresses within the same minute, indicating a likely MAC-address flood that could exhaust the DHCP pool. The rule returns observer, time window, counts, and a sample of client MACs to aid triage.
Categories
- Network
Data Sources
- Network Traffic
ATT&CK Techniques
- T1498
- T1498.001
Created: 2026-06-25