OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Possible DHCP DOS attack
From: Eric Hacker (hackerVUDU.NET)
Date: Thu Feb 03 2000 - 09:50:47 CST

Paul,

I don't think you've missed on anything DHCP related. It does have
that weakness, but that is not something that too many folks are
going to be worried about. At my last job the network architect
was so miserable at planning, DHCP pools would regularly run dry
because too many legitimate clients were on the subnet. But lets
look at the specifics:

DHCP leases are allocated in pools to specific subnets. One can
only get a lease on the subnet they are already on, since the
router forwarding the request is going to identify the subnet the
request is from (or something like that, I'm not referring to any
of my technical docs at this point). If an attacker is already on
the subnet and wants to cause some denial of service problems
there are lots of other ways to do even more damage easily. One
could simply ARP for the gateway, create broadcast storms etc. to
cause mayhem.

If there are remote ways to tie up DHCP leases, I would certainly
be interested in hearing about them. Like I said, I didn't dig up
the technical material to look for such possibilities.

If anyone has any other ideas and wants to make me get up off my
lazy ass and read some documentation, please feel free to comment.

«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»
Eric Hacker, MCSE, CCSE hackervudu.net

Hacker is my real name. Please, no flames, no props...
Just deal with it.

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf
Of Paul
Keefer
Sent: Wednesday, February 02, 2000 4:20 PM
To: VULN-DEVSECURITYFOCUS.COM
Subject: Possible DHCP DOS attack

I hope this is the right forum for this.

I was contemplating DHCP and how many large organizations
rely on it today, and I had a vision so to speak. What if
someone were to use up all of the available leases? That
would essentially prevent anyone else from obtaining an
address. That got me thinking to how easy it would be to
very quickly eat up all the addresses on a server.

It seems like it would be trivial to use a linux box to use
proxy arping to send out a large number of DHCP requests
until the server has no more to give out.

This of course assumes that the network is not using
switches that prevent multiple MACs per port, and that the
DHCP servers are not configured to give IPs out only to
specific MACs or something like that.

One thing that would make this particularly insidious is
that the entire attack would take only momemts, and would
last until the DHCP database was purged or the leases timed
out.

Has this already been addressed? Am I missing something
fundamental about DHCP?