7.3 DHCP Attacks

How DHCP Works

DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server.
It provides address configurations to DHCP-enabled clients in the form of a lease offer.

Client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information.
DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.
DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.
Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet.
Client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.
DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.

DHCPv4 Message	DHCPv6 Message	Description
DHCPDiscover	Solicit	Client broadcast to locate available DHCP servers
DHCPOffer	Advertise	Server to client in response to DHCPDISCOVER with offer of configuration parameters
DHCPRequest	Request, Confirm, Renew, Rebind	Client message to servers either (a) Requesting offered parameters, (b) Confirming correctness of previously allocated address, or (c) Extending the lease period
DHCPAck	Relay	Server to client with configuration parameters, including committed network address
DHCPRelease	Release	Client to server relinquishing network address and canceling remaining lease
DHCPDecline	Decline	Client to server indicating network address is already in use
N/A	Reconfigure	Server tells the client that it has new or updated configuration settings. The client then sends either a renew/reply or Information-request/Reply transaction to get the updated information
DHCPInform	Information Request	Client to server, asking only for local configuration parameters; client already has externally configured network address
N/A	Relay-Forward	A relay agent sends a relay-forward message to relay messages to servers, either directly or through another relay agent
N/A	Relay-Reply	A server sends a relay-reply message to a relay agent containing a message that the relay agent delivers to a client
DHCPNAK	N/A	Server to client indicating client's notion of network address is incorrect (e.g., Client has moved to new subnet) or client's lease as expired

This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.

Tool: Gobbler

Dhcpstarv:
- dhcpstarv implements DHCP starvation attack. It requests DHCP leases on specified interface, saves them, and renews on regular basis.
Yersinia:
- Yersinia is a network tool designed to take advantage of some weakness in different network protocols.
- It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

dhcpstarv -i eth0

Attacker sets rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses; this results in compromised network access.
This attack works in conjunction with the DHCP Starvation attack; attacker sends TCP/IP setting to the user after knocking him/her out from the genuine DHCP server.

tftpd32

Enable port security to defend against DHCP starvation attack.
- Configuring MAC limit on switch's edge ports drops the packets from further MACs once the limit is reached.
Enable DHCP snooping that allows switch to accept DHCP transaction coming only from a trusted port.

Q1) How do you defend against DHCP Starvation attack?