heroui logo

Potential DHCP Starvation via High Client MAC Cardinality

Elastic Detection Rules

View Source
Summary
This rule detects potential DHCP starvation by spotting bursts of DHCP DISCOVER messages that exhibit a high diversity of client MAC addresses on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MACs to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server. The detection is wire-level and OS-agnostic, since it relies on the DHCPv4 DISCOVER event and the client_mac attribute rather than host OS indicators. The rule uses Elastic Query Language (ESQL) to normalize fields, bucket time into 1-minute windows, and compute two signals: the total number of DHCP DISCOVER messages observed (dhcpv4_discover_count) and the number of distinct client MAC addresses (dhcpv4_client_mac_count_distinct) within each window per observer (Esql.observer_hostname). A condition triggers when there are at least 75 DISCOVER messages and at least 50 distinct MAC addresses within the same minute, indicating a likely MAC-address flood that could exhaust the DHCP pool. The rule returns observer, time window, counts, and a sample of client MACs to aid triage.
Categories
  • Network
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1498
  • T1498.001
Created: 2026-06-25