Potential DHCP Starvation via High Client MAC Cardinality
Identifies a burst of DHCP DISCOVER messages with an unusually high number of distinct client hardware addresses observed on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MAC addresses to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/25"
3integration = ["network_traffic"]
4maturity = "production"
5updated_date = "2026/06/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a burst of DHCP DISCOVER messages with an unusually high number of distinct client hardware addresses
11observed on the same capture segment within a short window. Attackers flood DISCOVER requests with spoofed or random MAC
12addresses to exhaust the DHCP lease pool, often as a precursor to deploying a rogue DHCP server.
13"""
14from = "now-9m"
15language = "esql"
16license = "Elastic License v2"
17name = "Potential DHCP Starvation via High Client MAC Cardinality"
18note = """## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating Potential DHCP Starvation via High Client MAC Cardinality
24
25DHCP starvation floods a segment with DISCOVER messages that use many distinct client hardware addresses to consume
26available leases. This rule keys on high DHCP DISCOVER volume paired with high `client_mac` cardinality seen by the
27same network capture sensor, which is the wire-level starvation pattern and does not depend on host operating system.
28
29### Possible investigation steps
30
31- Review `Esql.count_distinct_client_macs` and sample values in `Esql.values_client_macs` to confirm the burst is not a
32 single client retrying with one address.
33- Identify the L2 segment or VLAN monitored by `Esql.observer` and check DHCP server logs for pool exhaustion, NAK spikes,
34 or lease-denial events during the same window.
35- Look for follow-on rogue DHCP OFFER/ACK activity on the segment, including the Multiple DHCP Servers Responding to the
36 Same Transaction rule.
37- Locate the transmitting host using switch CAM tables if Ethernet source addresses are available in raw capture exports.
38
39### False positive analysis
40
41- Large Wi-Fi reconnect or onboarding events can temporarily increase DISCOVER volume. Compare against historical
42 baselines for the same `Esql.observer` and time of day before treating as malicious.
43- Virtualization or VDI provisioning bursts may generate many distinct client MAC addresses during imaging. Exclude known
44 provisioning VLANs or sensors when the workflow is confirmed.
45
46### Response and remediation
47
48- Enable or verify DHCP snooping and rate limits on the affected access switches.
49- Block or isolate the source host if link-layer evidence confirms a single transmitter is generating the flood.
50- Restore DHCP service capacity and monitor for rogue OFFER/ACK responses after the starvation attempt.
51"""
52references = [
53 "https://attack.mitre.org/techniques/T1498/",
54 "https://www.leviathansecurity.com/blog/tunnelvision",
55 "https://wazuh.com/blog/monitoring-dhcp-starvation-attack-with-suricata-and-wazuh/",
56]
57risk_score = 47
58rule_id = "b5f94e78-fb4d-4f4b-879e-e51ea667d09c"
59setup = """## Setup
60
61This rule requires the Elastic network_traffic (Packetbeat) integration capturing DHCP (UDP 67/68) on the broadcast
62segment where clients acquire leases, either Packetbeat running on the segment or a SPAN/mirror feeding it.
63
64Zeek and flow-only firewall sources are intentionally not supported: this rule requires per-DISCOVER DHCP transaction
65fields and client hardware address values (`client_mac`) to measure high client MAC cardinality in a short time window.
66"""
67severity = "medium"
68tags = [
69 "Domain: Network",
70 "Use Case: Threat Detection",
71 "Use Case: Network Security Monitoring",
72 "Tactic: Impact",
73 "Data Source: Network Traffic",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "esql"
78
79query = '''
80from logs-network_traffic.dhcpv4-*, packetbeat-*
81| eval
82 Esql.message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),
83 Esql.client_mac = COALESCE(network_traffic.dhcpv4.client_mac, dhcpv4.client_mac),
84 Esql.observer_hostname = COALESCE(host.name, observer.hostname)
85| where Esql.message_type == "discover" and Esql.client_mac is not null and Esql.observer_hostname is not null
86| eval Esql.time_window = DATE_TRUNC(1 minute, @timestamp)
87| stats
88 Esql.dhcpv4_discover_count = COUNT(*),
89 Esql.dhcpv4_client_mac_count_distinct = COUNT_DISTINCT(Esql.client_mac),
90 Esql.dhcpv4_client_mac_values = MV_SLICE(VALUES(Esql.client_mac), 0, 10)
91 by Esql.time_window, Esql.observer_hostname
92| where Esql.dhcpv4_discover_count >= 75 and Esql.dhcpv4_client_mac_count_distinct >= 50
93| keep Esql.observer_hostname, Esql.time_window, Esql.dhcpv4_discover_count, Esql.dhcpv4_client_mac_count_distinct, Esql.dhcpv4_client_mac_values
94'''
95
96
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1498"
101name = "Network Denial of Service"
102reference = "https://attack.mitre.org/techniques/T1498/"
103[[rule.threat.technique.subtechnique]]
104id = "T1498.001"
105name = "Direct Network Flood"
106reference = "https://attack.mitre.org/techniques/T1498/001/"
107
108
109
110[rule.threat.tactic]
111id = "TA0040"
112name = "Impact"
113reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential DHCP Starvation via High Client MAC Cardinality
DHCP starvation floods a segment with DISCOVER messages that use many distinct client hardware addresses to consume
available leases. This rule keys on high DHCP DISCOVER volume paired with high client_mac cardinality seen by the
same network capture sensor, which is the wire-level starvation pattern and does not depend on host operating system.
Possible investigation steps
- Review
Esql.count_distinct_client_macsand sample values inEsql.values_client_macsto confirm the burst is not a single client retrying with one address. - Identify the L2 segment or VLAN monitored by
Esql.observerand check DHCP server logs for pool exhaustion, NAK spikes, or lease-denial events during the same window. - Look for follow-on rogue DHCP OFFER/ACK activity on the segment, including the Multiple DHCP Servers Responding to the Same Transaction rule.
- Locate the transmitting host using switch CAM tables if Ethernet source addresses are available in raw capture exports.
False positive analysis
- Large Wi-Fi reconnect or onboarding events can temporarily increase DISCOVER volume. Compare against historical
baselines for the same
Esql.observerand time of day before treating as malicious. - Virtualization or VDI provisioning bursts may generate many distinct client MAC addresses during imaging. Exclude known provisioning VLANs or sensors when the workflow is confirmed.
Response and remediation
- Enable or verify DHCP snooping and rate limits on the affected access switches.
- Block or isolate the source host if link-layer evidence confirms a single transmitter is generating the flood.
- Restore DHCP service capacity and monitor for rogue OFFER/ACK responses after the starvation attempt.
References
Related rules
- Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence
- Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts
- Multiple DHCP Servers Responding to the Same Transaction
- SMB (Windows File Sharing) Activity from the Internet
- Abnormally Large DNS Response