DHCP spoofing Attack and prevention

A DHCP spoofing attack, also known as a DHCP exhaustion attack, is a type of DDoS attack that causes the DHCP server to have no assignable DHCP address and causes the DHCP address pool to dry up. So that there is no assignable IP address for the normal host within the network. At the same time, hackers take advantage of impersonating a DHCP server, assigning users a modified DNS server address, booting to a pre-configured fake financial website or e-commerce website, cheat user's account and password, this attack harm is very big.

Attack principle:

Typically, the DHCP server determines the client's MAC address by checking the CHADDR (aka Client MAC addresses) field in the DHCP request message sent by the clients. Normally the CHADDR field and the real MAC address of the client sending the request message are the same. An attacker could use a fake Mac to send a DHCP request, or the attacker would not modify the source MAC address of the DHCP request message, but instead modify the CHADDR field in the DHCP message to implement the attack.

Because the DHCP server considers different CHADDR values to represent requests from different clients, an attacker could send a large number of forged chaddr DHCP requests, causing the address pool on the DHCP server to be exhausted and thus unable to provide network addresses for other normal users. This is a DHCP exhaustion attack. A DHCP exhaustion attack can be a purely Dos attack, or it can be used in conjunction with a forged DHCP server. When a normal DHCP server is paralyzed, an attacker could establish a bogus DHCP server to provide addresses to clients on the LAN so that they can forward the information to a malicious computer that is ready for interception. Even if the source MAC address and the CHADDR field of the DHCP request message are correct, the DHCP request message is a broadcast message, and if it is sent in large quantities it will also deplete the network bandwidth and form another denial-of-service attack.

Workaround:

1, on the switch port, turn on The DHCP snooping function, for the Mac and chaddr in the Mac to verify, found that the inconsistency dropped the packet

2. Display request rate

3. Limit the number of MAC addresses on the switch port

In addition, building a DHCP server in the network can cause 2 kinds of damage

1, resulting in network chaos, the allocation of IP address is not available

2, for example, hackers take advantage of impersonating a DHCP server, to assign users a modified DNS server address, the user is not aware of the situation to be directed to a pre-configured fake financial website or e-commerce website, cheat user's account and password, the harm of this attack is very big.

The above situation can be resolved by setting the DHCP trust port on the switch, discarding the DCHP offer package sent to other untrusted switch ports.

Ref

http://www.51testing.com/?uid-238195-action-spacelist-type-blog-itemtypeid-11700

http://blog.csdn.net/lycb_gz/article/details/7548695

DHCP spoofing Attack and prevention