Multiple DHCP Servers Responding to the Same Transaction

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Multiple DHCP Servers Responding to the Same Transaction

Identifies two or more distinct DHCP servers sending an OFFER or ACK for the same transaction ID (xid) within a short window, indicating a rogue DHCP server racing the legitimate one to win the client’s handshake. This is the rogue-DHCP / adversary-in-the-middle precondition (T1557.003) and is operating-system agnostic, since it keys only on server behavior observed on the wire. Winning the race lets an attacker intercept traffic via a hostile gateway/DNS, bypass a VPN (TunnelVision), or deliver a malformed response that exploits the client’s DHCP parser for code execution.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Network
Domain: Endpoint
Use Case: Threat Detection
Use Case: Vulnerability
Use Case: Network Security Monitoring
Tactic: Credential Access
Tactic: Execution
Data Source: Network Traffic
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Multiple DHCP Servers Responding to the Same Transaction

DHCP is plaintext UDP and fully visible to any sensor on the broadcast segment. A rogue server (or an injected response on the victim’s L2 broadcast domain) that answers a transaction the legitimate server already owns is the defining precondition for DHCP-based adversary-in-the-middle and for malformed-option client exploits. This rule flags exactly that: two or more distinct server source IPs producing an OFFER/ACK for one transaction ID inside the same 30-second window, and is operating-system agnostic, since it keys only on server behavior observed on the wire.

Possible investigation steps

Identify the server source IPs in Esql.values_server_ips and Esql.values_server_identifiers. Determine which is the sanctioned DHCP server and which is unexpected.
Locate the rogue server on the segment (switch CAM/ARP tables, port, VLAN). It is on the same broadcast domain as the victim by definition.
Inspect the rogue OFFER/ACK options for an oversized or malformed payload (the overflow trigger) and for hostile configuration such as an attacker-controlled default gateway (option 3), DNS server (option 6), WPAD/proxy auto-config (option 252), or classless static routes (option 121, TunnelVision-style VPN bypass).
Identify the client(s) acquiring leases on the segment (any OS, including Windows, Linux, macOS, iOS, IoT) and review their endpoint telemetry for DHCP client service crashes, unexpected route/DNS/gateway changes, or follow-on code execution. Where the target OS and DHCP client are known, check whether they are unpatched for the relevant CVE (e.g. CVE-2026-44815 on Windows, CVE-2018-5732 on ISC dhclient).

False positive analysis

DHCP failover pairs (Microsoft or ISC) are designed so that, for a given transaction, only one peer answers; two peers answering the same xid within 30 seconds is not normal failover behavior. If a known active-active or load-balancing architecture genuinely does this, add its server IPs to an exception.
DHCP relay agents forward responses but the relayed source is the relay, and a single server still owns each transaction. Anycast/VIP DHCP designs that present multiple real backend IPs on the wire are rare and would be a known architectural fact, which can be excepted by those IPs.

Response and remediation

Remove the rogue DHCP server from the segment, then patch the affected client DHCP stacks (e.g. June 2026 Patch Tuesday for CVE-2026-44815 on Windows, or the fixed ISC dhclient for CVE-2018-5732 on Linux/Unix).
Enable DHCP snooping on managed switches and restrict DHCP server responses to authorized server ports/MACs as a compensating control, which protects clients of every OS and also mitigates TunnelVision-style route injection.

Setup

edit

Setup

This rule requires the Elastic network_traffic (Packetbeat) integration capturing DHCP (UDP 67/68) on the broadcast segment where clients acquire/renew leases, either Packetbeat running on the segment or a SPAN/mirror feeding it. A sensor not on the same L2 broadcast domain (or not behind the relevant DHCP relay) will not observe competing OFFER/ACK packets.

Zeek is intentionally not supported: the zeek.dhcp data stream does not expose a transaction ID and aggregates a full DORA exchange into one record, so the per-transaction server-count comparison cannot be expressed on it.

Rule query

edit

from logs-network_traffic.dhcpv4-*, packetbeat-*
| eval
    message_type = TO_LOWER(COALESCE(network_traffic.dhcpv4.option.message_type, dhcpv4.option.message_type)),
    Esql.transaction_id = COALESCE(network_traffic.dhcpv4.transaction_id, dhcpv4.transaction_id),
    server_identifier = COALESCE(network_traffic.dhcpv4.option.server_identifier, dhcpv4.option.server_identifier)
| where message_type in ("offer", "ack") and Esql.transaction_id is not null and source.ip is not null
| eval Esql.time_window = DATE_TRUNC(30 seconds, @timestamp)
| stats
    Esql.count_distinct_servers = COUNT_DISTINCT(source.ip),
    Esql.values_server_ips = VALUES(source.ip),
    Esql.values_server_identifiers = VALUES(server_identifier),
    Esql.count_replies = COUNT(*)
  by Esql.time_window, Esql.transaction_id
| where Esql.count_distinct_servers >= 2
| keep Esql.transaction_id, Esql.time_window, Esql.count_distinct_servers, Esql.values_server_ips, Esql.values_server_identifiers, Esql.count_replies

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Adversary-in-the-Middle
- ID: T1557
- Reference URL: https://attack.mitre.org/techniques/T1557/
Sub-technique:
- Name: DHCP Spoofing
- ID: T1557.003
- Reference URL: https://attack.mitre.org/techniques/T1557/003/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Exploitation for Client Execution
- ID: T1203
- Reference URL: https://attack.mitre.org/techniques/T1203/

« Multiple Cloud Secrets Accessed by Source Address Multiple Device Token Hashes for Single Okta Session »