DHCP Address Starvation with MAC flooding

This is perhaps the simplest and fastest attack. DHCP servers have a limited number of addresses that they can give out. DHCP scopes commonly have less than 200 addresses that they give out to hosts (the rest of the space is often reserved for static IP devices, such as servers, printers, etc). So to stop the DHCP server from working all an attacker has to do is send DHCP requests using random MAC addresses. It keeps sending requests until the DHCP server stops responding. Of course, the DHCP has no idea what's going on, so it keeps responding to all the requests it sees coming in. It has no idea it is being attacked. This attack usually take less than 10s to complete, and uses a very small amount of bandwidth. As long as the attack uses forged MAC addresses (and the common tools for doing this attack do this) it is very difficult for the Windows administrator to track down, since all of the information they have available to them is forged.

Mitigation
Mitigation of this attack is very simple with a Cisco switch, using a feature called port security. What port security does is limit the number of MAC addresses a client machine can use. So if you enable the feature on every port that can connect to a workstation, and a workstation tries to send a packet with a MAC address different to that of a packet it has sent in the same session, the switch will shut the port down stopping the attack dead. Port security is supported on Cisco 2950's and above. The switch clears the MAC address associated with a port when the link goes down (such as the workstation being turned off, or unplugged). So it works happily with ports shared by different machines (as long as only one machine at a time is plugged into the port).

interface FastEthernet x/y
switchport port-security