Vulnerability Development mailing list archives

Re: DoS against DHCP

From: Craig Van Tassle <craig () ambrosa dns04 com>
Date: Wed, 30 Jan 2002 17:49:55 -0600

Well acutally i think that if you try to use the same MAC address for all the dhcp requests that could prove to be a 
problem..  Basicly if you want to you can jsut write a program to send out false MAC/ARP replies.. and with various 
ways of MAC spoofing you could tell the DHCP server that you have all the addresses and that could be used to make the 
subnet unusable until the DHCP leases are released.

just my $0.02

Criag


On Wed, Jan 30, 2002 at 02:20:29PM -0800, RSnake wrote:


      I came up with this about a year back at DefCon, and told some friends
in hopes that either they or I would do something with it, but none of us had
time so here goes, and please feel free to write this yourself.  DoS against
DHCP:

      A DHCP server has only a certain amount of addresses availible.  If
you (a single malicious machine connected to the network) actively take up all
availible IP address, and compete against the machines that are currently
connected you should be able to completely take all availible IP addresses and
block access to the DHCP server.  You could do this by opening many interfaces
on a linux box and asking for many DHCP addresses and lying that you connected
before any competing machines (or DoS the competing machine directly until the
DHCP server releases the IP address to you).

      This combined with war-driving could take down any DHCP IP address
block within wireless range.  Kinda nasty, but only effective as long as you
stay connected to the network, so a compromised machine on the network might be
necessary for extended DoS.  Probably the way around this would be a) some sort
of authentication to log into the DHCP server and or b) using leap or something
similar.  MAC addresses are spoofable, so it probably wouldn't be a good idea
to limit the number of times a particular MAC address connects to the network,
as that would just be a sloppy obfuscation.  DHCP has always seemed like a bad
idea to me.  Sorry if this seems obvious.

Attachment: _bin
Description:

Current thread:

switch jamming Jan (Jan 30)
- Re: switch jamming Securism (Jan 30)
- Re: switch jamming Sebastian Jaenicke (Jan 30)
  - Re: switch jamming Todd Suiter (Jan 30)
- DoS against DHCP RSnake (Jan 30)
  - RE: DoS against DHCP John Stauffacher (Jan 30)
  - Re: DoS against DHCP Russell Handorf (Jan 30)
  - Re: DoS against DHCP Craig Van Tassle (Jan 30)
  - Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- <Possible follow-ups>
- RE: switch jamming Ed Moyle (Jan 30)
  - Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)
- RE: switch jamming Anthony Gruppuso (Jan 31)
  - Re: switch jamming Blue Boar (Jan 31)
    - Re: switch jamming ALoR (Jan 31)
  - RE: switch jamming Alexander (Jan 31)
- RE: switch jamming Toni Heinonen (Jan 31)

(Thread continues...)