DHCP Starvation

From Hakipedia

DHCP Starvation is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously.

Contents 1 Severity 2 Exploit Likeliness 3 Description 4 Attack Vector 5 Mitigation 5.1 Cisco IOS Mitigation 5.2 Cisco CatOS Mitigation

[edit] Severity

Low.

[edit] Exploit Likeliness

Moderate.

[edit] Description

This type of attack can easily be achieved with tools such as gobbler. If enough requests flooded onto the network, the attacker can completely exhaust the address space allocated by the DHCP servers for an indefinite period of time. Clients of the victim network are then starved of the DHCP resource(s), thus DHCP Starvation can be classified as a Denial of Service attack. The network attacker can then set up a Rogue DHCP Server on the network and perform man in the middle attacks, or simply set their machine as the default gateway and sniff packets.

Exhausting all of the DHCP addresses may make a Rogue DHCP Server more affective, but it is not manditory. As stated in RFC 2131:

"The client collects DHCPOFFER messages over a period of time, selects one DHCPOFFER message from the (possibly many) incoming DHCPOFFER messages (for example, the first DHCPOFFER message or the DHCPOFFER message from the previously used server) and extracts the server address from the `server identifier' option in the DHCPOFFER message. The time over which the client collects messages and the mechanism used to select one DHCPOFFER are implementation dependent."

[edit] Attack Vector

Yersinia is a GNU/Linux framework that takes advantage of some of the weaknesses in different network protocols. It can be used for analyzing and testing deployed networks and systems. To use Yersinia for a DHCP Starvation Attack, the following steps may be followed:

1. Start Yersinia via the command line by typing: yersinia -I.
2. Select a NIC you wish to use by pressing “i”.
3. Load DHCP mode by pressing the “g” key, then select DHCP mode.
   1. Press the “x” button to open the attacks menu.
   2. Press “1” to start the attack

[edit] Mitigation

Cisco Catalyst switches can eradicate DHCP Starvation attacks using DHCP Snooping.

[edit] Cisco IOS Mitigation

To enable DHCP Snooping on a Cisco IOS switch, follow these steps:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan <vlan_id> {,<vlan_id>}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate <rate>
!Sets rate limit for DHCP Snooping!


[edit] Cisco CatOS Mitigation

To mitigate DHCP Starvation attacks with port security on CatOS, use the following:

set port security 5/1 enable
set port security 5/1 port max 1
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity