Re: Possible DHCP DOS attack

[Larry.Ogrodnek () DOWJONES COM (Ogrodnek, Larry)]

SOTO.  Please see RFC 2131.  This is being addressed in
part in the IETF draft "Authentication for DHCP Messages"
<draft-ietf-dhc-authentication-12.txt>.  These documents among others can be
found at http://www.dhcp.org.

One could also montitor their network for unusual dhcp
traffic (ala ids) as well as setup redundant dhcp servers.

Darin Davis has a perl script available that can be
used to exhaust ip addresses
(http://www.flash.net/~da_davis/code/gendhcp.p).  The script apparently
was designed to stress test his dhcp servers.

-l

-----Original Message-----
From: Paul Keefer [mailto:paul () KEEFER ORG]
Sent: Wednesday, February 02, 2000 4:20 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Possible DHCP DOS attack

I hope this is the right forum for this.

I was contemplating DHCP and how many large organizations
rely on it today, and I had a vision so to speak.  What if
someone were to use up all of the available leases?  That
would essentially prevent anyone else from obtaining an
address.  That got me thinking to how easy it would be to
very quickly eat up all the addresses on a server.

It seems like it would be trivial to use a linux box to use
proxy arping to send out a large number of DHCP requests
until the server has no more to give out.

This of course assumes that the network is not using
switches that prevent multiple MACs per port, and that the
DHCP servers are not configured to give IPs out only to
specific MACs or something like that.

One thing that would make this particularly insidious is
that the entire attack would take only momemts, and would
last until the DHCP database was purged or the leases timed
out.

Has this already been addressed?  Am I missing something
fundamental about DHCP?