7.3 DHCP Attacks
How DHCP Works
- DHCP servers maintain TCP/IP configuration information in a database such as valid TCP/IP configuration parameters, valid IP addresses, and duration of the lease offered by the server.
- It provides address configurations to DHCP-enabled clients in the form of a lease offer.
- Client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information.
- DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network.
- DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address.
- Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet.
- Client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information.
- DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.
DHCP Request/Reply Messages
DHCPv4 Message | DHCPv6 Message | Description |
---|---|---|
DHCPDiscover | Solicit | Client broadcast to locate available DHCP servers |
DHCPOffer | Advertise | Server to client in response to DHCPDISCOVER with offer of configuration parameters |
DHCPRequest | Request, Confirm, Renew, Rebind | Client message to servers either (a) Requesting offered parameters, (b) Confirming correctness of previously allocated address, or (c) Extending the lease period |
DHCPAck | Relay | Server to client with configuration parameters, including committed network address |
DHCPRelease | Release | Client to server relinquishing network address and canceling remaining lease |
DHCPDecline | Decline | Client to server indicating network address is already in use |
N/A | Reconfigure | Server tells the client that it has new or updated configuration settings. The client then sends either a renew/reply or Information-request/Reply transaction to get the updated information |
DHCPInform | Information Request | Client to server, asking only for local configuration parameters; client already has externally configured network address |
N/A | Relay-Forward | A relay agent sends a relay-forward message to relay messages to servers, either directly or through another relay agent |
N/A | Relay-Reply | A server sends a relay-reply message to a relay agent containing a message that the relay agent delivers to a client |
DHCPNAK | N/A | Server to client indicating client's notion of network address is incorrect (e.g., Client has moved to new subnet) or client's lease as expired |
IPv4 DHCP Packet Format
DHCP Starvation Attack
- This is a denial-of-service (DoS) attack on the DHCP servers where attacker broadcasts forged DHCP requests and tries to lease all of the DHCP addresses available in the DHCP scope.
- As a result legitimate user is unable to obtain or renew an IP address requested via DHCP, failing access to the network access.
Tool: Gobbler
DHCP Starvation Attack Tools
- Dhcpstarv:
- dhcpstarv implements DHCP starvation attack. It requests DHCP leases on specified interface, saves them, and renews on regular basis.
- Yersinia:
- Yersinia is a network tool designed to take advantage of some weakness in different network protocols.
- It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
dhcpstarv -i eth0
Rogue DHCP Server Attack
- Attacker sets rogue DHCP server in the network and responds to DHCP requests with bogus IP addresses; this results in compromised network access.
- This attack works in conjunction with the DHCP Starvation attack; attacker sends TCP/IP setting to the user after knocking him/her out from the genuine DHCP server.
tftpd32
How to Defend Against DHCP Starvation and Rogue Server Attack
- Enable port security to defend against DHCP starvation attack.
- Configuring MAC limit on switch's edge ports drops the packets from further MACs once the limit is reached.
- Enable DHCP snooping that allows switch to accept DHCP transaction coming only from a trusted port.
Q1) How do you defend against DHCP Starvation attack?
- Enable ARP-Block on the switch
- Enable DHCP snooping on the switch
- Configure DHCP-BLOCK to 1 on the switch
- Install DHCP filters on the switch to block this attack