Rsnake,
Being as the University I work at comprises a lot of DHCP servers, I
have already run into the issue you are speaking of. I have also found
an affective DOS with win98se/me/2k. Basicly if win98se/me/2k get an ip
and shutdown. When they wake up and request an address, they request the
address they had before. This works fine and dandy most of the time.
Yet, if for some reason the DHCP server decides to NAK the address
request the Windows box doesn't adhere to the NAK and keeps asking for
the address. So if joe script kiddy Statics his own IP...and Joe User
for some reason had that ip on his laptop (which is now off)...and Joe
User turns his laptop on...he now gets a 169 address or in some cases
0.0.0.0... To combat this and a couple other dumb things, I wrote this
little shell script:
[begin dhcp_show_static.sh]
#!/bin/sh
# usage: $0 <dhcpd leases file>
echo "Checking $1"
OFFENDERS=`cat $1|grep -B3 -C2 abandoned|grep lease|cut -c 7-21`
for i in $OFFENDERS;
do
if /bin/ping -n -q -c1 $i >/dev/null
then
echo "$i is up and static'd"
echo "$i" >> staticd.ips
else
echo "$i is not responding"
echo "$i" >> dead.ips
fi
done
[end dhcp_show_static.sh]
Now normally dhcpd will reclaim abandoned IP's if they are truly
abandoned. And normally if a client abandoned an IP and then asked for
it again -- dhcpd will give it back. To fight static'ers and to fight
people consuming more dhcp addresses than I want them too...i tied this
script and another I wrote to grep out dup mac addresses with similar
lease times that are active and both are pinging, and both respond to
arpping (it isnt finished and is a very WIP -- so I wont post it), in
with lcrzoex (http://packetstorm.widexs.nl/filedesc/lcrzo-4.02-src.html)
-- basicly when I catch a static'd machine, or a machine with more than
two dhcp address's, I use the ARP spoofing mechanism inside lcrzo to
effectively cut them off...Sooner or later they call and complain...and
we talk about why you really shouldn't give yourself static IP
address's.
++
John Stauffacher
Network Administrator
Chapman University
stauffacherat_private
714-628-7249
-----Original Message-----
From: RSnake [mailto:rsnakeat_private]
Sent: Wednesday, January 30, 2002 2:20 PM
To: vuln-devat_private
Subject: DoS against DHCP
I came up with this about a year back at DefCon, and told some
friends
in hopes that either they or I would do something with it, but none of
us had
time so here goes, and please feel free to write this yourself. DoS
against
DHCP:
A DHCP server has only a certain amount of addresses availible.
If
you (a single malicious machine connected to the network) actively take
up all
availible IP address, and compete against the machines that are
currently
connected you should be able to completely take all availible IP
addresses and
block access to the DHCP server. You could do this by opening many
interfaces
on a linux box and asking for many DHCP addresses and lying that you
connected
before any competing machines (or DoS the competing machine directly
until the
DHCP server releases the IP address to you).
This combined with war-driving could take down any DHCP IP
address
block within wireless range. Kinda nasty, but only effective as long as
you
stay connected to the network, so a compromised machine on the network
might be
necessary for extended DoS. Probably the way around this would be a)
some sort
of authentication to log into the DHCP server and or b) using leap or
something
similar. MAC addresses are spoofable, so it probably wouldn't be a good
idea
to limit the number of times a particular MAC address connects to the
network,
as that would just be a sloppy obfuscation. DHCP has always seemed like
a bad
idea to me. Sorry if this seems obvious.
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 15:53:20 PST