7.3 DHCP Attacks

How DHCP Works

  • DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server.
  • It provides address configurations to DHCP-enabled clients in the form of a lease offer.
  1. Client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information.
  2. DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.
  3. DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.
  4. Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet.
  5. Client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.
  6. DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.

DHCP Request/Reply Messages

DHCPv4 Message DHCPv6 Message Description
DHCPDiscover Solicit Client broadcast to locate available DHCP servers
DHCPOffer Advertise Server to client in response to DHCPDISCOVER with offer of configuration parameters
DHCPRequest Request, Confirm, Renew, Rebind Client message to servers either (a) Requesting offered parameters, (b) Confirming correctness of previously allocated address, or (c) Extending the lease period
DHCPAck Relay Server to client with configuration parameters, including committed network address
DHCPRelease Release Client to server relinquishing network address and canceling remaining lease
DHCPDecline Decline Client to server indicating network address is already in use
N/A Reconfigure Server tells the client that it has new or updated configuration settings. The client then sends either a renew/reply or Information-request/Reply transaction to get the updated information
DHCPInform Information Request Client to server, asking only for local configuration parameters; client already has externally configured network address
N/A Relay-Forward A relay agent sends a relay-forward message to relay messages to servers, either directly or through another relay agent
N/A Relay-Reply A server sends a relay-reply message to a relay agent containing a message that the relay agent delivers to a client
DHCPNAK N/A Server to client indicating client's notion of network address is incorrect (e.g., Client has moved to new subnet) or client's lease as expired

IPv4 DHCP Packet Format

DHCP Starvation Attack

  • This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
  • As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.

Tool: Gobbler

DHCP Starvation Attack Tools

  • Dhcpstarv:
    • dhcpstarv implements DHCP starvation attack. It requests DHCP leases on specified interface, saves them, and renews on regular basis.
  • Yersinia:
    • Yersinia is a network tool designed to take advantage of some weakness in different network protocols.
    • It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

dhcpstarv -i eth0

Rogue DHCP Server Attack

  • Attacker sets rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses; this results in compromised network access.
  • This attack works in conjunction with the DHCP Starvation attack; attacker sends TCP/IP setting to the user after knocking him/her out from the genuine DHCP server.

tftpd32

How to Defend Against DHCP Starvation and Rogue Server Attack

  • Enable port security to defend against DHCP starvation attack.
    • Configuring MAC limit on switch's edge ports drops the packets from further MACs once the limit is reached.
  • Enable DHCP snooping that allows switch to accept DHCP transaction coming only from a trusted port.

Q1) How do you defend against DHCP Starvation attack?

  1. Enable ARP-Block on the switch
  2. Enable DHCP snooping on the switch
  3. Configure DHCP-BLOCK to 1 on the switch
  4. Install DHCP filters on the switch to block this attack

results matching ""

    No results matching ""