Re: Possible DHCP DOS attack

[tal () XPERT COM (Tal Hornstein)]

Paul,

You are essentially right, although you might want to consider the following
2 points:

1- Since addresses already allocated by the DHCP are not vulnerable to such
an attack, it will only affect "newcomers" - new machines trying to obtain
an IP lease. It is bound to be noticed by the sysadmin after the first
machine can't lease an IP.
2- I would assume any security admin in his right mind will not allow DHCP
request from the Internet through the Firewall, thus such an attack can only
come from within.
3- If a company employee makes such an attack, his MACs will go in the DHCP
and logs, making him easy to spot/stop.

I consider it a low risk, but nice thinking.

T.

Tal Hornstein
System Administrator
Xpert Integrated Systems

-----Original Message-----
From: Paul Keefer [mailto:paul () KEEFER ORG]
Sent: Wednesday, February 02, 2000 11:20 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Possible DHCP DOS attack

I hope this is the right forum for this.

I was contemplating DHCP and how many large organizations
rely on it today, and I had a vision so to speak.  What if
someone were to use up all of the available leases?  That
would essentially prevent anyone else from obtaining an
address.  That got me thinking to how easy it would be to
very quickly eat up all the addresses on a server.

It seems like it would be trivial to use a linux box to use
proxy arping to send out a large number of DHCP requests
until the server has no more to give out.

This of course assumes that the network is not using
switches that prevent multiple MACs per port, and that the
DHCP servers are not configured to give IPs out only to
specific MACs or something like that.

One thing that would make this particularly insidious is
that the entire attack would take only momemts, and would
last until the DHCP database was purged or the leases timed
out.

Has this already been addressed?  Am I missing something
fundamental about DHCP?