DoS against DHCP

From: RSnake (rsnake@shocking.com)
Date: 01/30/02


Date: Wed, 30 Jan 2002 14:20:29 -0800 (PST)
From: RSnake <rsnake@shocking.com>
To: vuln-dev@securityfocus.com


        I came up with this about a year back at DefCon, and told some friends
in hopes that either they or I would do something with it, but none of us had
time so here goes, and please feel free to write this yourself. DoS against
DHCP:

        A DHCP server has only a certain amount of addresses availible. If
you (a single malicious machine connected to the network) actively take up all
availible IP address, and compete against the machines that are currently
connected you should be able to completely take all availible IP addresses and
block access to the DHCP server. You could do this by opening many interfaces
on a linux box and asking for many DHCP addresses and lying that you connected
before any competing machines (or DoS the competing machine directly until the
DHCP server releases the IP address to you).

        This combined with war-driving could take down any DHCP IP address
block within wireless range. Kinda nasty, but only effective as long as you
stay connected to the network, so a compromised machine on the network might be
necessary for extended DoS. Probably the way around this would be a) some sort
of authentication to log into the DHCP server and or b) using leap or something
similar. MAC addresses are spoofable, so it probably wouldn't be a good idea
to limit the number of times a particular MAC address connects to the network,
as that would just be a sloppy obfuscation. DHCP has always seemed like a bad
idea to me. Sorry if this seems obvious.



Relevant Pages

  • Re: DoS against DHCP
    ... DoS against ... > before any competing machines (or DoS the competing machine directly until the ... > DHCP server releases the IP address to you). ... > stay connected to the network, so a compromised machine on the network might be ...
    (Vuln-Dev)
  • Re: DoS against DHCP
    ... Contingent on you having changemac or some other way to randomize a new mac ... >you (a single malicious machine connected to the network) actively take up all ... >before any competing machines (or DoS the competing machine directly until the ... >DHCP server releases the IP address to you). ...
    (Vuln-Dev)
  • RE: DoS against DHCP
    ... if for some reason the DHCP server decides to NAK the address ... Subject: DoS against DHCP ... you (a single malicious machine connected to the network) actively take ... before any competing machines (or DoS the competing machine directly ...
    (Vuln-Dev)
  • Re: WAP54Gs with WPA not handing out IPs from SBS2003 server
    ... Do you have enough IP addresses in the DHCP pool on the DHCP server? ... There's not even 50 machines total on the network. ... I'll assume you're running Windoze XP Home using Wireless Zero Config ... With the PCMCIA card, it's the WZC software. ...
    (alt.internet.wireless)
  • Re: WAP54Gs with WPA not handing out IPs from SBS2003 server
    ... Do you have enough IP addresses in the DHCP pool on the DHCP server? ... There's not even 50 machines total on the network. ... I'll assume you're running Windoze XP Home using Wireless Zero Config ... With the PCMCIA card, it's the WZC software. ...
    (alt.internet.wireless)