Re: Possible DHCP DOS attack

[paul () BAVARIA JCCBI GOV (Paul Keefer)]

In response to your three points.

1)Sure, but that isn't much help for the folks that can't
get an IP now,  and depending on the DHCP server you are
using it could be very difficult to clear out the bad leases
to free up some addresses.

2)Agreed, but aren't something like 80% of security
incidents from the inside?

3)You should always be able to track an offending mac down
to at least a switch port, and if you are using managed
hubs, then a hub port too.  The thing is that you are making
up your MACs in this case, and they are only used very
briefly, so they will likely have timed out in the switches
and hubs by the time the admin gets around to looking for
them.

I understand that this isn't the sort of vulnerability that
would effect everyone the same.  It does seem like something
that would be a real pain for many universities, or for any
network that has relaxed physical security.

Tal Hornstein wrote:
> Paul,
>
> You are essentially right, although you might want to consider the following
> 2 points:
>
> 1- Since addresses already allocated by the DHCP are not vulnerable to such
> an attack, it will only affect "newcomers" - new machines trying to obtain
> an IP lease. It is bound to be noticed by the sysadmin after the first
> machine can't lease an IP.
> 2- I would assume any security admin in his right mind will not allow DHCP
> request from the Internet through the Firewall, thus such an attack can only
> come from within.
> 3- If a company employee makes such an attack, his MACs will go in the DHCP
> and logs, making him easy to spot/stop.
>
> I consider it a low risk, but nice thinking.
>
> T.
>
> Tal Hornstein
> System Administrator
> Xpert Integrated Systems
>
> -----Original Message-----
> From: Paul Keefer [mailto:paul () KEEFER ORG]
> Sent: Wednesday, February 02, 2000 11:20 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Possible DHCP DOS attack
>
> I hope this is the right forum for this.
>
> I was contemplating DHCP and how many large organizations
> rely on it today, and I had a vision so to speak.  What if
> someone were to use up all of the available leases?  That
> would essentially prevent anyone else from obtaining an
> address.  That got me thinking to how easy it would be to
> very quickly eat up all the addresses on a server.
>
> It seems like it would be trivial to use a linux box to use
> proxy arping to send out a large number of DHCP requests
> until the server has no more to give out.
>
> This of course assumes that the network is not using
> switches that prevent multiple MACs per port, and that the
> DHCP servers are not configured to give IPs out only to
> specific MACs or something like that.
>
> One thing that would make this particularly insidious is
> that the entire attack would take only momemts, and would
> last until the DHCP database was purged or the leases timed
> out.
>
> Has this already been addressed?  Am I missing something
> fundamental about DHCP?

--
Paul Keefer             AMI-300B/NISC
LAN/WAN Administrator   405-954-6029