Vulnerability Development mailing list archives

Re: Possible DHCP DOS attack

From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Fri, 4 Feb 2000 00:08:06 -0600


I've encountred something like this, the machines that were going out to
customers were plugged in to make sure they worked, with a lot of
computers going through the shop the dhcp server ran out of leases, it
merely said 'out of leases' and refused to pass any new ones out.

Redhat 6.1

[root@fw /root]# dhcpd --version
Internet Software Consortium DHCP Server
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.

On Thu, 3 Feb 2000, C.J. Oster wrote:

To my understanding, dhcpd will ping the oldest lease(s) when it runs out
to find a free one.  I'm not exactly sure about this though, and any
insight would be appreciated.

-CJO-

On Wed, 2 Feb 2000, Paul Keefer wrote:

I hope this is the right forum for this.

I was contemplating DHCP and how many large organizations
rely on it today, and I had a vision so to speak.  What if
someone were to use up all of the available leases?  That
would essentially prevent anyone else from obtaining an
address.  That got me thinking to how easy it would be to
very quickly eat up all the addresses on a server.

It seems like it would be trivial to use a linux box to use
proxy arping to send out a large number of DHCP requests
until the server has no more to give out.

This of course assumes that the network is not using
switches that prevent multiple MACs per port, and that the
DHCP servers are not configured to give IPs out only to
specific MACs or something like that.

One thing that would make this particularly insidious is
that the entire attack would take only momemts, and would
last until the DHCP database was purged or the leases timed
out.

Has this already been addressed?  Am I missing something
fundamental about DHCP?


             C.J. Oster (Linux Guru/Surge Addict) cjo () pobox com
   ----------------------------------------------------------------------
          Network Security Manager      Unix System Administrator
             For BHNet, Bromley Hall    WSG, CCSO, UIUC
          Hoover and Associates         oster () uiuc edu
          security () bromleygroup com     (217)265-8427
   ----------------------------------------------------------------------

         PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556

      Tuition: n. The way you screw your self out of something you
      really want, need, like, or enjoy to learn a simple lesson.

Current thread:

Re: distributed.net and seti@home, (continued)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 01)
  - Re: distributed.net and seti@home Sen_Ml Sen_Ml (Feb 01)
    - Re: distributed.net and seti@home Kerneels (Feb 02)
    - Re: distributed.net and seti@home Granquist, Lamont (Feb 03)
    - Re: distributed.net and seti@home Steffen Zahn (Feb 04)
    - Possible DHCP DOS attack Paul Keefer (Feb 02)
    - Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
    - Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
    - Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
    - Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
    - Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
    - DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
    - Re: DHCP and Security Erik Fichtner (Feb 03)
    - Re: DHCP and Security Seth R Arnold (Feb 04)
    - Re: DHCP and Security Jeff Bachtel (Feb 05)
    - Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
    - Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 02)
  - Re: distributed.net and seti@home Andrew Brown (Feb 02)
- Re: distributed.net and seti@home Meij Ewout MSM AD CH (Feb 04)