7.3 DHCP Attacks
How DHCP Works
- DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server.
- It provides address configurations to DHCP-enabled clients in the form of a lease offer.
- Client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information.
- DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.
- DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.
- Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet.
- Client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.
- DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.
DHCP Request/Reply Messages
|DHCPv4 Message||DHCPv6 Message||Description|
|DHCPDiscover||Solicit||Client broadcast to locate available DHCP servers|
|DHCPOffer||Advertise||Server to client in response to DHCPDISCOVER with offer of configuration parameters|
|DHCPRequest||Request, Confirm, Renew, Rebind||Client message to servers either (a) Requesting offered parameters, (b) Confirming correctness of previously allocated address, or (c) Extending the lease period|
|DHCPAck||Relay||Server to client with configuration parameters, including committed network address|
|DHCPRelease||Release||Client to server relinquishing network address and canceling remaining lease|
|DHCPDecline||Decline||Client to server indicating network address is already in use|
|N/A||Reconfigure||Server tells the client that it has new or updated configuration settings. The client then sends either a renew/reply or Information-request/Reply transaction to get the updated information|
|DHCPInform||Information Request||Client to server, asking only for local configuration parameters; client already has externally configured network address|
|N/A||Relay-Forward||A relay agent sends a relay-forward message to relay messages to servers, either directly or through another relay agent|
|N/A||Relay-Reply||A server sends a relay-reply message to a relay agent containing a message that the relay agent delivers to a client|
|DHCPNAK||N/A||Server to client indicating client's notion of network address is incorrect (e.g., Client has moved to new subnet) or client's lease as expired|
IPv4 DHCP Packet Format
DHCP Starvation Attack
- This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
- As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.
DHCP Starvation Attack Tools
- dhcpstarv implements DHCP starvation attack. It requests DHCP leases on specified interface, saves them, and renews on regular basis.
- Yersinia is a network tool designed to take advantage of some weakness in different network protocols.
- It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
dhcpstarv -i eth0
Rogue DHCP Server Attack
- Attacker sets rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses; this results in compromised network access.
- This attack works in conjunction with the DHCP Starvation attack; attacker sends TCP/IP setting to the user after knocking him/her out from the genuine DHCP server.
How to Defend Against DHCP Starvation and Rogue Server Attack
- Enable port security to defend against DHCP starvation attack.
- Configuring MAC limit on switch's edge ports drops the packets from further MACs once the limit is reached.
- Enable DHCP snooping that allows switch to accept DHCP transaction coming only from a trusted port.
Q1) How do you defend against DHCP Starvation attack?
- Enable ARP-Block on the switch
- Enable DHCP snooping on the switch
- Configure DHCP-BLOCK to 1 on the switch
- Install DHCP filters on the switch to block this attack