A Rogue DHCP Server attack best fits the symptoms because it directly explains unexpected gateway changes, IP conflicts, and traffic redirection to deceptive portals. In CEH network attack coverage, DHCP is a foundational service that automatically provides clients with IP configuration such as IP address, subnet mask, default gateway, and DNS servers. If an attacker introduces a rogue DHCP server on the same broadcast domain, clients may accept leases from the rogue server—especially if it responds faster than the legitimate DHCP infrastructure. Once that happens, the attacker can push a malicious default gateway or DNS server to victims. This allows redirection of traffic, man-in-the-middle positioning, and phishing-style interception, which matches the “unfamiliar gateway settings” and “misleading login portals” described.

The mention of “temporary IP address conflicts” also aligns: a rogue server can hand out addresses that overlap with legitimate allocations, causing intermittent connectivity issues and failed connection attempts. While a DHCP starvation attack can create disruption by exhausting the DHCP pool, the key difference is outcome: starvation primarily denies service until a rogue server takes over. Here, the defining observable behavior is not just outage—it is misconfiguration and redirection, which points to the presence of a rogue DHCP server actively issuing malicious leases.

Packet sniffing alone would not change gateway settings, and MAC flooding is aimed at forcing switches to behave like hubs, not issuing IP configuration. Defensive controls include DHCP snooping, port security, network segmentation, and monitoring for unauthorized DHCP offers and anomalous lease patterns.