DHCP Starvation Attack

Table of Contents

Introduction to DHCP attacks

In this article, we explain and detail DHCP attacks. We explain the basic functionality of the DHCP protocol in our article How does DHCP work?

What is a DHCP Starvation Attack?

In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to consume all available IP addresses that the DHCP server can allocate. After these IP addresses are allocated, the server cannot allocate any more addresses and this situation leads to a Denial of Service (DoS) attack as new clients cannot gain network access.

The attacker sends a series of DHCP DISCOVER requests. In order to get a new IP address from the DHCP server with each DISCOVER, the MAC address and the transaction ID are changed with each request. When the server responds to these requests with a DHCP OFFER, an IP is temporarily reserved for the client. For this, no DHCP REQUEST has to be made by the requesting client. Another client can no longer get this IP address. However, the reservation of the IP address after a DHCP OFFER only lasts for a short time. The DHCP lease is not fully reserved until the DHCP handshake has been completed.

This method of DHCP attacks, however, requires a continuous sending of DHCP DISCOVER. There is also the option to complete the DHCP handshake for each lease. This would reserve the IP addresses for an entire lease period. However, the implementation of this attack requires more effort than the simple "spam" of DHCP DISCOVER packets.

The Denial of Service Attack on a DHCP server is mostly used to be able to use your own Rouge-DHCP server in the network, since the principle "First-Come-First-Serve" applies here.

Prevent a hacker attack on
Your IT system!
Test your IT now with a professional penetration test!
For the penetration test

How do I perform a DHCP Starvation Attack?

A successful DHCP Starvation Attack depends on the size of the DHCP pool. Depending on the size, it is possible to "reserve" all available addresses of the DHCP server for a short time.

Depending on how much time there is between DHCP DISCOVER packets, it is possible that a DHCP server will not answer all DISCOVER packets. Here it is advisable to experiment with a delay between the transmitted packets.

Yersinia the tool for DHCP attacks

Yersinia is particularly well suited for DHCP servers which have a high load capacity and also respond to requests sent particularly quickly. However, there is no way to adjust the speed here. Here, Wireshark should be used to test whether the DHCP server is still responding with DHCP OFFERS.

 

1. yersinia -G 

2. Click "Launch attack".

3. Click "DHCP".

4. Tick "sending DISCOVER packet".

5. Click "OK".

6. -> Click "Exit" to stop the attack

DHCP attacks Yersinia

How to Prevent a DHCP Starvation Attack?

Port security can be activated on switch ports to protect against DHCP starvation attacks. These allow each port to have one or a defined number of MAC addresses. This prevents a client from assigning itself multiple MAC addresses in order to send fake DHCP-DISCOVER requests.

What is DHCP spoofing?

In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network to provide DHCP addresses to clients. The usual reason for this attack is to force the clients to use fake Domain Name System (DNS) or Windows Internet Naming Service (WINS) servers and trick the clients into impersonating the attacker or a machine under the attacker's control to be used as the default gateway. 

DHCP starvation attacks are often performed before a DHCP spoofing attack to disable the legitimate DHCP server, making it easier to inject a rogue DHCP server onto the network.

How do I set up a rogue DHCP server?

Metasploit

By default, Metasploit has a module for setting up a DHCP server. Among other things, this can be used to pass on a number of parameters to clients, which can be used for a man-in-the-middle attack. The most effective ways are to present the client with itself as a gateway. Thus, all network traffic can be recorded.

1.ifconfig eth0:1

2. echo 1 > /proc/sys/net/ipv4/ip_forward

3.ifconfig eth0:1 192.168.1.11 netmask 255.255.255.0

4. route add default gw 192.168.137.1 eth0:1 (control via 'route -n')

5. msfconsole -q -x 'use auxiliary/server/dhcp' 

6. Adjust the config as you like (see options)

7. EgConfig

    > set srvhost 192.168.13.37 ( IP address of the DHCP server ) 

    > set netmask 255.255.255.0 ( subnet mask ) 

    > set router 192.168.13.1 (default gateway of the DHCP lease) 

    > set dnsserver 1.1.1.1 (DNS server of the DHCP lease)

How to prevent DHCP spoofing?

One of the most effective solutions to prevent DHCP spoofing is DHCP snooping. It is a security feature on the second level (data link) of the OSI model. The function can be implemented in the switch that connects the clients to the DHCP servers. Simply put, it is a protocol that first examines all DHCP information passing through the switch. Only approved packets from trusted servers are allowed through to the clients.

A useful side effect of DHCP snooping is not only that an attacker with a rouge DHCP server will be unsuccessful, but also that any other device that requires the functionality of a DHCP server  fulfill, "locked out". A third-party router that is brought into the network by an employee can no longer assign IP addresses.

DHCP attacks DHCP snooping
Increase the security level now
of your IT system!
You can only get detailed advice from us!
Contact us now
Newsletter form (#7)

Become a Cyber ​​Security Insider

Get early access and exclusive content!


By signing up, you agree to receive occasional marketing emails from us.
OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


By signing up, you agree to receive occasional marketing emails from us.