| technology | networking - Ross Heintzkill
What is a DHCP Starvation Attack?
Quick Definition: A DHCP starvation attack is a malicious digital attack that targets DHCP servers. During a DHCP attack, a hostile actor floods a DHCP server with bogus DISCOVER packets until the DHCP server exhausts its supply of IP addresses. Once that happens, the attacker can deny legitimate network users service, or even supply an alternate DHCP connection that leads to a Man-in-the-Middle (MITM) attack.
A Quick Overview of DHCP Starvation Attack [VIDEO]
In this video, Keith Barker covers how to implement a DHCP starvation attack using Kali Linux and Yersinia. He begins by discussing the basics of DHCP, and specifically what happens when a DHCP client PC boots up on the network.
Can You Learn to Execute a DHCP Starvation Attack?
Yes. DHCP starvation attacks are surprisingly easy to perform, and they're a very common way to deny service to legitimate network users. By learning the steps that hostile actors may take to flood your own DHCP servers with bogus DISCOVER packets, you can understand how to harden your network against the attack.
A crucial part of cybersecurity and network security is understanding the tools available to hostile actors and the steps they'd take to accomplish their ends. Knowing this makes you a better security practitioner, but the tools must never be used in an unauthorized or illegal way. There is such a thing as a Certified Ethical Hacker, and you can even learn how to become a white hat hacker. However, you shouldn't experiment in an unsafe way or play around, unauthorized, with what you learn about DHCP starvation attacks.
What Is the DHCP Process?
A Dynamic Host Configuration Protocol server is responsible for issuing IP addresses to devices on its network. This is done through a series of packet exchanges between individual DHCP clients and DHCP servers. To understand how a DHCP starvation attack works, we should first understand the DHCP interaction fully.
A DHCP IP address allocation transaction depends on four types of packets: DISCOVER, OFFER, REQUEST, and ACKNOWLEDGEMENT. While all four of these basic (DORA) packets are important to the DHCP process, we'll be focusing most on DISCOVER packets.
When a PC boots up on the network, if it's a DHCP client, it's going to issue a DHCP DISCOVER packet. By doing so, that PC is effectively saying, "Hi, I'm new here! I'm looking for a Dynamic Host Configuration Protocol server that can issue me an IP address."
If you visualize a client on a network reaching a nearby server, you can imagine the server responding with an OFFER. And in that offer, it's going to offer an IP address that the client is allowed to use. That server is effectively replying with, "Welcome. I've got a lovely little spot at 10.123.0.1 I can offer you. Interested?"
Before we go on to the client's reply to that, we should mention that the DHCP server has a pool of addresses it can select from. On a /24-bit network, the max number of IP addresses that could be in a pool would be 254.
Additionally, it's very likely that a few of those addresses are saved for static router addresses and so forth. So the pool of available addresses the DHCP server can draw from may only be about 252 IP addresses. When it receives a DISCOVER packet, the DHCP server chooses one of its remaining IP addresses from its pool and reserves it for the new client.
The next step, after the OFFER packet is received by the client is to send a REQUEST back. That's essentially the client saying, "Yes, that sounds perfect. Could I please have exclusive rights to 10.123.0.1 while I'm here?"
The final step in the transaction is when the server sends an ACKNOWLEDGEMENT packet to the client and anyone else listening. This essentially says, "You're now using 10.123.0.1. If anyone needs to reach that client, they're parked at 10.123.0.1."
In a non-hostile arrangement, this DHCP arrangement is an efficient way to have clients pop on and off of networks and remain available and safe. But a DHCP starvation attack exploits this process.
How Does a DHCP Starvation Attack Work?
In a DHCP Starvation attack, a hostile actor sends a ton of bogus DISCOVER packets until the DHCP server thinks they've expended their available pool. Clients looking for IP addresses find that there are no IP addresses for them, and they're denied service. Additionally, they may look for a different DHCP server, one which the hostile actor may provide. And using a hostile or dummy IP address, that hostile actor can now read all the traffic that client sends and receives.
In a hostile environment, where we have a malicious machine running some kind of a tool like Yersinia, there could be a machine that sends DHCP DISCOVER packets. This malicious client doesn't send a handful – it sends hundreds and hundreds of malicious DISCOVER packets using bogus, made-up MAC addresses as the source MAC address for each request.
If the DHCP server responds to each of these bogus DHCP DISCOVER packets, the entire IP address pool could be depleted, and that DHCP server could believe it has no more IP addresses to offer to valid DHCP requests.
Once a DHCP server has no more IP addresses to offer, typically the next thing to happen would be for the attacker to bring in their own DHCP server. This rogue DHCP server then begins handing out IP addresses.
The benefit of that to the attacker is that if a bogus DHCP server is handing out IP addresses, including default DNS and gateway information, clients who use those IP addresses and start to use that default gateway can now be routed through the attacker's machine. That's all that a hostile actor needs to perform a man-in-the-middle (MITM) attack.
How to Configure Yersinia and Kali Linux Before DHCP Starvation Attacks
We'd like you to be able to follow along at home and be able to configure your set-up to keep your own networks safe. Although there are several methods you can use to do this, for our purposes, we recommend the following configuration:
First, connect a Raspberry Pi via ethernet cable physically to a switch. When we did it, we connected it to port #2 with port #3 leading off to the DHCP server.
Next, set up Yersinia to be used on Raspberry Pi. You'll need a special version of Kali Linux made for the Raspberry Pi. That Raspberry Pi will need a wireless adapter and you'll need to have an SSH session going to it. By the end of this, you should have Yersinia on a Raspberry running Kali Linux, that you're connecting to over wireless.
Next is the ethernet port, which is Ethernet 0. When we did it, we physically connected to port #2 on the same switch as before. With this configuration, you'll get out of band control of the device that will be launching the attacks over the ethernet interface.
To manage the commands, we recommend the terminal emulation program Secure CRT. You'll need to configure it, as part of the SSH session, to do X-11 redirection from this Kali box back to your PC to make visualizing what's happening possible. Lastly, XMING, an X-11 server, is also running on the host PC, which is on Windows 8.
How to Perform a DHCP Starvation Attack Using Yersinia and Kali Linux
In your command line, launch Yersinia with "yersinia -G". That command launches the graphical version of Yersinia. That will pop open as an X-Windows interface on the computer you launch from.
From your router's interface, there are some things to do before launching the attack. Enter the command "show ip dncp binding" into your router's command line. This will show any IP addresses that have currently been handed out from this DHCP server.
Depending on what your DHCP server is actually doing, you may not have any handed out IP addresses. You can also use the command "show ip dhcp pool" to get a sense of what pool of IP addresses it has available.
The output of this command will show you the range of addresses that are available for distribution, for example it might read "10.123.0.1 – 10.123.0.254" under the IP address range. You'll also see under "Leased addresses" the number of IP addresses it has handed out.
Back at Yersinia, click Launch Attack. A new window will appear, and from there you'll want to select DHCP from the tabs along the top. Of the many options, for our purposes, we'll be sending a load of DHCP DISCOVER packets.
Now, click Okay and watch Yersinia, which is included as part of Kali Linux which is running on that Raspberry Pi, as it sends out DISCOVER packets. If you left it running, it would send out thousands of DISCOVER packets to the DHCP server we've identified.
And every one of those DISCOVER packets will have a unique, custom bogus MAC address. The DHCP server will think it's getting bombarded with valid requests.
How to Tell if a DHCP Starvation Attack is Working
After running the attack, if you look at the column "Last Seen", you'll see that it's incrementing upward by seconds. That's the history of the DISCOVER packets that are being sent. The 100s and 100s of packets being sent.
How to See What a DHCP Starvation Attack Did
After letting your DHCP starvation attack run in Yersinia for some time, you can click on the button in the top bar called "List attacks". On that screen, you should see that only one attack is running.
From there you could click "Cancel attack" or "Cancel all attacks". Since there's only the one running, click either to cancel the DHCP starvation attack that we prepared earlier. Even after cancelling the attack, you may see that the screen continues to update, updating the log events regarding what's happened.
From there, go back to the router that's acting as your DHCP server. Remember that only a few moments ago it hadn't issued any IP addresses to clients. Now we'll want to check its log and see how many IP addresses are available now.
Except even if you run "show ip dhcp pool" again, the router may very well reply that the DHCP database couldn't even be locked. If you get that response, it's a good sign your DHCP starvation attack has succeeded. That reply means the server is so overrun with requests coming from your attack that even if you've already canceled it, that it's not accepting any new requests.
If that's the case, wait a few seconds to allow your DHCP server to sort itself out. Then, make the "show ip dhcp pool" request again. Once your DHCP server is responding, you should see that there's been a change to the number of IP addresses being leased. It may even be it's entire pool.
If you were to leave Yersinia running with that attack in the background, all of the IP addresses in the pool would be spoken for. As it is, even with only a few seconds running, you may see several dozen — even 100 addresses have been allocated.
In fact, you can run "show ip dhcp pool" multiple times over the next several seconds and minutes to see if the number of leased addresses creeps upward as the server continues to catch up with the 100s of DISCOVER requests you bombarded it with earlier.
It's also possible to see the details of those IP addresses that have been handed out. To do so, use the command "show ip dhcp binding". Expect to see several pages of results. These are the IP addresses that have been handed out. All the MAC addresses that will display on this screen are made up by Yersinia as it sends out the DISCOVER packets looking for an IP address.
What Can Happen After a DHCP Starvation Attack?
A DHCP starvation attack results in a denial of service (DoS) for legitimate clients making IP address requests from an overloaded DHCP server. A DHCP starvation attack is often also followed up with an attempt at a Man-in-the-Middle (MITM) attack.
When the DHCP server has handed out all its IP addresses, what's going to happen when a new DHCP client who wants an IP address or needs an IP address comes onto the network? The answer is, of course, DoS: Denial of Service. There won't be any IP addresses available.
That's why very often, following a DHCP Starvation Attack, the attacker will come in with their own DHCP server to start handing out IP addresses. And that leads to additional compromise of our user's traffic. Especially if the attacker has pulled off a man-in-the-middle attack where all the traffic from our devices, as it's trying to leave the subnet, is going through the attacker device. And that attacker is now physically in-between the target and its intended target.
How Can You Protect Against DHCP Starvation Attacks?
DHCP starvation attacks are easy to pull off. To help mitigate this type of attack, there's an approach called port security. Advanced cybersecurity training can also help you prevent DHCP starvation attacks.
This is a long post already, so we can't get into using Kali Linux or Backtrack, but if that's interesting to you, you should consider checking out our Penetration Testing with Linux Tools course.
DHCP starvation attacks are a real and present danger for a network. Understanding how a hostile actor dupes a DHCP server with bogus DISCOVER packets and overwhelms it from being able to supply legitimate clients with IP addresses is key to preventing such attacks and keeping your network secure.