Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible DHCP DOS attack

From: techs () OBFUSCATION ORG (Erik Fichtner)
Date: Fri, 4 Feb 2000 00:37:39 -0500

On Thu, Feb 03, 2000 at 11:25:17AM -0600, C.J. Oster wrote:

To my understanding, dhcpd will ping the oldest lease(s) when it runs out
to find a free one.  I'm not exactly sure about this though, and any
insight would be appreciated.


Yeah.   One DoS on dhcp, however, is to sniff the network and wait for a
dhcp request to come ambling by, then race the server and forge an icmp
echo_reply back to the dhcp server, since dhcpd (at least the ISC one,
probably others) will attempt to ping an address to see if it's available
before it hands it out.  If you do this, you'll get the server to abandon
the address as unusable, and if you're persistant enough, you'll use 'em
all up.

And if you can find some way to bog the dhcp server down and make it slow
to get around to generating the ping, you're pretty much guaranteed to
win the race.

Of course, you can just comment out the code in dhcp.c that pings before
handing out a lease, but the server becomes a little less flexible that
way.

It's a well known issue. Among others.  Check out the ISC DHCP Mailing
List Archive at http://www.isc.org/ml-archives/dhcp-server/

--
Erik Fichtner; Warrior SysAdmin (emf|techs)                       34.9908%
http://www.obfuscation.org/~techs      N 38 53.055'  W 77 21.860'  764 ft.
       "What's the most effective Windows NT remote management tool?"
          "A car."  --  Stephen Northcutt
Previous By Date Next
Previous By Thread Next

Current thread: