Vulnerability Development mailing list archives
Re: Possible DHCP DOS attack
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Thu, 3 Feb 2000 21:20:07 -0800
Has this already been addressed? Am I missing something fundamental about DHCP?
No, you're right. This type of DoS attack works fine. In fact, if you put up a Windows NT RAS server, and tell it to get it's address pool from DHCP, it will happily grab as many DHCP addresses as you tell it. These are pretty easy to spot on the DHCP server, as the "MAC" addresses end up being I think three bytes longer than normal (the first bytes spell out "RAS"). As for protecting against such attacks... If someone is spoofing their layer 2 address, you'll have to catch that with your network gear, and quickly. Most equipment will only cache the MAC addresses for 15-30 minutes. Your DHCP server may not have much opportunity to protect itself directly.. many sites have DHCP servers set up across routers, so the DHCP server never gets to see the original MAC address. BB
Current thread:
- Re: Possible DHCP DOS attack, (continued)
- Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
- Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
- Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
- Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
- Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
- DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
- Re: DHCP and Security Erik Fichtner (Feb 03)
- Re: DHCP and Security Seth R Arnold (Feb 04)
- Re: DHCP and Security Jeff Bachtel (Feb 05)
- Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
- Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Andrew Brown (Feb 02)