Vulnerability Development mailing list archives
Re: Possible DHCP DOS attack
From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Fri, 4 Feb 2000 00:08:06 -0600
I've encountred something like this, the machines that were going out to customers were plugged in to make sure they worked, with a lot of computers going through the shop the dhcp server ran out of leases, it merely said 'out of leases' and refused to pass any new ones out. Redhat 6.1 [root@fw /root]# dhcpd --version Internet Software Consortium DHCP Server Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium. On Thu, 3 Feb 2000, C.J. Oster wrote:
To my understanding, dhcpd will ping the oldest lease(s) when it runs out to find a free one. I'm not exactly sure about this though, and any insight would be appreciated. -CJO- On Wed, 2 Feb 2000, Paul Keefer wrote:I hope this is the right forum for this. I was contemplating DHCP and how many large organizations rely on it today, and I had a vision so to speak. What if someone were to use up all of the available leases? That would essentially prevent anyone else from obtaining an address. That got me thinking to how easy it would be to very quickly eat up all the addresses on a server. It seems like it would be trivial to use a linux box to use proxy arping to send out a large number of DHCP requests until the server has no more to give out. This of course assumes that the network is not using switches that prevent multiple MACs per port, and that the DHCP servers are not configured to give IPs out only to specific MACs or something like that. One thing that would make this particularly insidious is that the entire attack would take only momemts, and would last until the DHCP database was purged or the leases timed out. Has this already been addressed? Am I missing something fundamental about DHCP?C.J. Oster (Linux Guru/Surge Addict) cjo () pobox com ---------------------------------------------------------------------- Network Security Manager Unix System Administrator For BHNet, Bromley Hall WSG, CCSO, UIUC Hoover and Associates oster () uiuc edu security () bromleygroup com (217)265-8427 ---------------------------------------------------------------------- PGP: 87D5 4216 43A1 42D6 754D 8F5E 24B3 992A B7A1 F556 Tuition: n. The way you screw your self out of something you really want, need, like, or enjoy to learn a simple lesson.
Current thread:
- Re: distributed.net and seti@home, (continued)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 01)
- Re: distributed.net and seti@home Sen_Ml Sen_Ml (Feb 01)
- Re: distributed.net and seti@home Kerneels (Feb 02)
- Re: distributed.net and seti@home Granquist, Lamont (Feb 03)
- Re: distributed.net and seti@home Steffen Zahn (Feb 04)
- Re: distributed.net and seti@home Sen_Ml Sen_Ml (Feb 01)
- Possible DHCP DOS attack Paul Keefer (Feb 02)
- Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
- Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
- Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
- Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
- Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 01)
- DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
- Re: DHCP and Security Erik Fichtner (Feb 03)
- Re: DHCP and Security Seth R Arnold (Feb 04)
- Re: DHCP and Security Jeff Bachtel (Feb 05)
- Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
- Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Andrew Brown (Feb 02)