Vulnerability Development mailing list archives

Re: Possible DHCP DOS attack

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Thu, 3 Feb 2000 21:20:07 -0800

Has this already been addressed?  Am I missing something
fundamental about DHCP?


No, you're right.  This type of DoS attack works fine.  In fact, if you
put up a Windows NT RAS server, and tell it to get it's address pool
from DHCP, it will happily grab as many DHCP addresses as you tell it.
These are pretty easy to spot on the DHCP server, as the "MAC" addresses
end up being I think three bytes longer than normal (the first bytes
spell out "RAS").

As for protecting against such attacks...

If someone is spoofing their layer 2 address, you'll have to catch that
with your network gear, and quickly.  Most equipment will only
cache the MAC addresses for 15-30 minutes.  Your DHCP server may
not have much opportunity to protect itself directly..  many sites
have DHCP servers set up across routers, so the DHCP server never
gets to see the original MAC address.

                                        BB

Current thread:

Re: Possible DHCP DOS attack, (continued)
- - - Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
    - Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
    - Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
    - Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
    - Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
    - DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
    - Re: DHCP and Security Erik Fichtner (Feb 03)
    - Re: DHCP and Security Seth R Arnold (Feb 04)
    - Re: DHCP and Security Jeff Bachtel (Feb 05)
    - Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
    - Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 02)
  - Re: distributed.net and seti@home Andrew Brown (Feb 02)
- Re: distributed.net and seti@home Meij Ewout MSM AD CH (Feb 04)