DCHP Security

-=[ DHCP Concept

Dynamic Host Configuration Protocol (DHCP) is used to automatically configure client machines with a dynamically assigned IP address and other network configuration parameters, such as the default gateway and DNS server addresses, during their boot time. It eliminates the need for network administrators to keep track of individual client IP addresses.

In the past (without DHCP), network administrators have to statically assign an IP address to each client machine, and users have to configure their computers with the assigned IP address manually. This process not only requires the users to be knowledgeable but also makes mis-configuration common.
DHCP is particularly useful in environments where computers are frequently added to or removed from the network. For example, ISPs use DHCP to
configure their dial-up clients. When a client machine logs in, it will be automatically assigned an IP address, when it logs out, that address will be reclaimed. The good things about this dynamic address assignment are twofold. To the users, they do not need to care about the configuration of network parameters. Since most computers are DHCP ready by default, they just need to enter their username and password to log in to their ISP. To the ISP, since an IP address will be reclaimed when the client logs out, that address can be assigned to another future user. It helps combat the problem of the shortage of IP address.

The correct operations of DHCP are critical. If it is exploited, users may be configured with fake network information such as wrong name server address, causing security threats.

-=[ DHCP Operations

The general idea of the DHCP operations are summarized below.

1. The network administrator just needs to configure the DHCP server with a pool of IP addresses and other desired network configuration information.
2. When a client machine is booted up, as long as it is DHCP enabled, it will automatically ask the DHCP server to obtain an IP address.
3. The server will then select an available address from the pool and response the client with the selected address and other network configuration information.

The DHCP operations involve a number of message exchanges:

1. The client broadcasts the DHCPDISCOVER packet to the network.
2. The server sends back the client a DHCPOFFER packet which contains the offered address.
3. The client broadcasts a DHCPREQUEST packet, informing the server that it could like to be assigned the address offered in step 2.
4. The server sends the client a DHCPACK packet which contains network configuration parameters, such as default gateway and DNS server addresses.
5. At this point, the client has been configured with the offered IP address and the other network configuration parameters.


Since the client has not been preconfigured with any network information (including the DHCP server address) when it is booted up, it has to use broadcast message (DHCPDISCOVER) to reach the DHCP server in step 1. However, you may wonder why, in step 3, the DHCPREQUEST packet is broadcasted instead of unicasted as the client already knows the DHCP server address in step 2. The reason is that, if there are more than one DHCP servers in the network, the client may receive more than one DHCPOFFER packets in step 2. The client broadcasts the DHCPREQUEST packet is, on the one hand, to request the offered address from the specified server, and, on the other hand, to implicitly decline the offers from other servers.


-=[ Attacks

As can be seen, like DNS, DHCP has no provisions for security, making it vulnerable to attacks. Address starvation and server impersonation are the
well-known DHCP attacks. The principle of the former is to request all of the available DHCP addresses so that new clients are not able to get IP addresses, whereas the latter is to set up a rogue DHCP to return fake network information to clients so that man-in-the-middle attacks can be achieved.
Denial of Service Attack using Address Starvation When a DHCP server receives a DHCP request from a client, it will pick one available address in the address pool and assign it to the client. However, since this service is openly available, and there is no authentication mechanism in DHCP, attackers can easily exploit this simple operation to stop the DHCP service.

The attacker can do it by sending a large number of DHCP requests with different (forged) MAC addresses to the DHCP server. Since the server regards
each request with a new MAC as a new network client and assigns it an IP address, when the attacker has sent a sufficient large number of requests, the server’s address pool will be eventually fully allocated. As a result, any new legitimate client will not be able to obtain an IP address as there is no more available address.

It is a kind of denial of service attack -- denial clients from having DHCP service. This attack takes not only a very short time to complete (as the pool has a limited number of addresses) but also a very small amount of bandwidth. Nonetheless, this attack can be easily mitigated with the security functions in today’s sophisticated switches. For example, Cisco switches can limit the number of MAC addresses a switch port can use. Suppose that the client machine attached to the port tries to use different MAC addresses, when the number of the addresses reaches the limit, the port will be shut down permanently or for a specified time. It can stop the DHCP address starvation attack.