In this article, we explain and detail DHCP attacks. We explain the basic functionality of the DHCP protocol in our article How does DHCP work?
In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to consume all available IP addresses that the DHCP server can allocate. After these IP addresses are allocated, the server cannot allocate any more addresses and this situation leads to a Denial of Service (DoS) attack as new clients cannot gain network access.
The attacker sends a series of DHCP DISCOVER requests. In order to get a new IP address from the DHCP server with each DISCOVER, the MAC address and the transaction ID are changed with each request. When the server responds to these requests with a DHCP OFFER, an IP is temporarily reserved for the client. For this, no DHCP REQUEST has to be made by the requesting client. Another client can no longer get this IP address. However, the reservation of the IP address after a DHCP OFFER only lasts for a short time. The DHCP lease is not fully reserved until the DHCP handshake has been completed.
This method of DHCP attacks, however, requires a continuous sending of DHCP DISCOVER. There is also the option to complete the DHCP handshake for each lease. This would reserve the IP addresses for an entire lease period. However, the implementation of this attack requires more effort than the simple "spam" of DHCP DISCOVER packets.
The Denial of Service Attack on a DHCP server is mostly used to be able to use your own Rouge-DHCP server in the network, since the principle "First-Come-First-Serve" applies here.
A successful DHCP Starvation Attack depends on the size of the DHCP pool. Depending on the size, it is possible to "reserve" all available addresses of the DHCP server for a short time.
Depending on how much time there is between DHCP DISCOVER packets, it is possible that a DHCP server will not answer all DISCOVER packets. Here it is advisable to experiment with a delay between the transmitted packets.
Yersinia is particularly well suited for DHCP servers which have a high load capacity and also respond to requests sent particularly quickly. However, there is no way to adjust the speed here. Here, Wireshark should be used to test whether the DHCP server is still responding with DHCP OFFERS.
1. yersinia -G
2. Click "Launch attack".
3. Click "DHCP".
4. Tick "sending DISCOVER packet".
5. Click "OK".
6. -> Click "Exit" to stop the attack
Port security can be activated on switch ports to protect against DHCP starvation attacks. These allow each port to have one or a defined number of MAC addresses. This prevents a client from assigning itself multiple MAC addresses in order to send fake DHCP-DISCOVER requests.
In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network to provide DHCP addresses to clients. The usual reason for this attack is to force the clients to use fake Domain Name System (DNS) or Windows Internet Naming Service (WINS) servers and trick the clients into impersonating the attacker or a machine under the attacker's control to be used as the default gateway.
DHCP starvation attacks are often performed before a DHCP spoofing attack to disable the legitimate DHCP server, making it easier to inject a rogue DHCP server onto the network.
Metasploit
By default, Metasploit has a module for setting up a DHCP server. Among other things, this can be used to pass on a number of parameters to clients, which can be used for a man-in-the-middle attack. The most effective ways are to present the client with itself as a gateway. Thus, all network traffic can be recorded.
1.ifconfig eth0:1
2. echo 1 > /proc/sys/net/ipv4/ip_forward
3.ifconfig eth0:1 192.168.1.11 netmask 255.255.255.0
4. route add default gw 192.168.137.1 eth0:1 (control via 'route -n')
5. msfconsole -q -x 'use auxiliary/server/dhcp'
6. Adjust the config as you like (see options)
7. EgConfig
> set srvhost 192.168.13.37 ( IP address of the DHCP server )
> set netmask 255.255.255.0 ( subnet mask )
> set router 192.168.13.1 (default gateway of the DHCP lease)
> set dnsserver 1.1.1.1 (DNS server of the DHCP lease)
One of the most effective solutions to prevent DHCP spoofing is DHCP snooping. It is a security feature on the second level (data link) of the OSI model. The function can be implemented in the switch that connects the clients to the DHCP servers. Simply put, it is a protocol that first examines all DHCP information passing through the switch. Only approved packets from trusted servers are allowed through to the clients.
A useful side effect of DHCP snooping is not only that an attacker with a rouge DHCP server will be unsuccessful, but also that any other device that requires the functionality of a DHCP server fulfill, "locked out". A third-party router that is brought into the network by an employee can no longer assign IP addresses.
We use cookies, and Google reCAPTCHA, which loads Google Fonts and communicates with Google servers. By continuing to use our website, you agree to the use of cookies and our privacy policy.