Vulnerability Development mailing list archives
RE: DoS against DHCP
From: "John Stauffacher" <stauffacher () chapman edu>
Date: Wed, 30 Jan 2002 15:31:00 -0800
Rsnake, Being as the University I work at comprises a lot of DHCP servers, I have already run into the issue you are speaking of. I have also found an affective DOS with win98se/me/2k. Basicly if win98se/me/2k get an ip and shutdown. When they wake up and request an address, they request the address they had before. This works fine and dandy most of the time. Yet, if for some reason the DHCP server decides to NAK the address request the Windows box doesn't adhere to the NAK and keeps asking for the address. So if joe script kiddy Statics his own IP...and Joe User for some reason had that ip on his laptop (which is now off)...and Joe User turns his laptop on...he now gets a 169 address or in some cases 0.0.0.0... To combat this and a couple other dumb things, I wrote this little shell script: [begin dhcp_show_static.sh] #!/bin/sh # usage: $0 <dhcpd leases file> echo "Checking $1" OFFENDERS=`cat $1|grep -B3 -C2 abandoned|grep lease|cut -c 7-21` for i in $OFFENDERS; do if /bin/ping -n -q -c1 $i >/dev/null then echo "$i is up and static'd" echo "$i" >> staticd.ips else echo "$i is not responding" echo "$i" >> dead.ips fi done [end dhcp_show_static.sh] Now normally dhcpd will reclaim abandoned IP's if they are truly abandoned. And normally if a client abandoned an IP and then asked for it again -- dhcpd will give it back. To fight static'ers and to fight people consuming more dhcp addresses than I want them too...i tied this script and another I wrote to grep out dup mac addresses with similar lease times that are active and both are pinging, and both respond to arpping (it isnt finished and is a very WIP -- so I wont post it), in with lcrzoex (http://packetstorm.widexs.nl/filedesc/lcrzo-4.02-src.html) -- basicly when I catch a static'd machine, or a machine with more than two dhcp address's, I use the ARP spoofing mechanism inside lcrzo to effectively cut them off...Sooner or later they call and complain...and we talk about why you really shouldn't give yourself static IP address's. ++ John Stauffacher Network Administrator Chapman University stauffacher () chapman edu 714-628-7249 -----Original Message----- From: RSnake [mailto:rsnake () shocking com] Sent: Wednesday, January 30, 2002 2:20 PM To: vuln-dev () securityfocus com Subject: DoS against DHCP I came up with this about a year back at DefCon, and told some friends in hopes that either they or I would do something with it, but none of us had time so here goes, and please feel free to write this yourself. DoS against DHCP: A DHCP server has only a certain amount of addresses availible. If you (a single malicious machine connected to the network) actively take up all availible IP address, and compete against the machines that are currently connected you should be able to completely take all availible IP addresses and block access to the DHCP server. You could do this by opening many interfaces on a linux box and asking for many DHCP addresses and lying that you connected before any competing machines (or DoS the competing machine directly until the DHCP server releases the IP address to you). This combined with war-driving could take down any DHCP IP address block within wireless range. Kinda nasty, but only effective as long as you stay connected to the network, so a compromised machine on the network might be necessary for extended DoS. Probably the way around this would be a) some sort of authentication to log into the DHCP server and or b) using leap or something similar. MAC addresses are spoofable, so it probably wouldn't be a good idea to limit the number of times a particular MAC address connects to the network, as that would just be a sloppy obfuscation. DHCP has always seemed like a bad idea to me. Sorry if this seems obvious.
Current thread:
- switch jamming Jan (Jan 30)
- Re: switch jamming Securism (Jan 30)
- Re: switch jamming Sebastian Jaenicke (Jan 30)
- Re: switch jamming Todd Suiter (Jan 30)
- DoS against DHCP RSnake (Jan 30)
- RE: DoS against DHCP John Stauffacher (Jan 30)
- Re: DoS against DHCP Russell Handorf (Jan 30)
- Re: DoS against DHCP Craig Van Tassle (Jan 30)
- Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- <Possible follow-ups>
- RE: switch jamming Ed Moyle (Jan 30)
- Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)
- RE: switch jamming Anthony Gruppuso (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
- Re: switch jamming ALoR (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
(Thread continues...)