Sniffing Technique: DHCP Attacks

Sniffing Techniques: DHCP Attacks - A Comprehensive Guide

Why Understanding DHCP Attacks is Important

DHCP attacks represent a critical security threat that every cybersecurity professional must understand. These attacks target the Dynamic Host Configuration Protocol (DHCP), which is fundamental to network operations as it automatically assigns IP addresses to devices. Compromising DHCP can lead to network disruption, data theft, and serve as a gateway for more advanced attacks. In certification exams like CEH, DHCP attacks are frequently tested because they demonstrate core network security vulnerabilities.

What are DHCP Attacks?

DHCP attacks are malicious activities that exploit vulnerabilities in the DHCP service or protocol. The main types include:

1. DHCP Starvation Attack - Attackers flood the DHCP server with numerous requests using spoofed MAC addresses until the IP address pool is exhausted, preventing legitimate users from obtaining IP addresses.

2. DHCP Spoofing/Rogue DHCP Server Attack - An attacker sets up an unauthorized DHCP server on the network to distribute malicious network configuration information (like malicious DNS servers or default gateways).

3. DHCP Snooping - Though technically a security measure, it can be abused if an attacker gains control of this functionality.

How DHCP Attacks Work

DHCP Starvation Attack Mechanism:
• Attacker uses tools like Yersinia or DHCPstarv to generate numerous DHCP DISCOVER packets
• Each request contains a unique, spoofed MAC address
• The DHCP server assigns IP addresses to these non-existent clients
• Eventually, the DHCP server exhausts its address pool
• Legitimate users cannot obtain IP addresses, causing denial of service

DHCP Spoofing Attack Mechanism:
• Attacker deploys a rogue DHCP server on the network
• When legitimate clients broadcast DHCP DISCOVER messages, both legitimate and rogue servers respond
• If the rogue server responds faster, clients accept its malicious configuration
• Attacker can specify malicious DNS servers or default gateways
• This creates a man-in-the-middle position for the attacker

Detection and Prevention Measures

1. DHCP Snooping - A legitimate security feature that validates DHCP messages and restricts untrusted DHCP servers

2. Port Security - Limiting the number of MAC addresses per port can mitigate DHCP starvation attacks

3. DHCP Rate Limiting - Restricting the rate of DHCP messages per port

4. IP Source Guard - Prevents IP spoofing by validating source addresses

5. Regular Network Monitoring - Detecting unusual DHCP traffic patterns

Exam Tips: Answering Questions on DHCP Attacks

1. Know the DHCP Process:
• Understand the four-step DHCP process (DORA): Discover, Offer, Request, Acknowledge
• Recognize how each step can be exploited

2. Differentiate Between Attack Types:
• Be clear about the difference between DHCP starvation (exhausting IP pools) and DHCP spoofing (providing malicious configuration)
• Understand that these attacks are often used together

3. Focus on Technical Details:
• Remember that DHCP starvation typically uses spoofed MAC addresses
• Know that DHCP operates on UDP ports 67 (server) and 68 (client)
• Be familiar with the tools used (Yersinia, DHCPstarv, etc.)

4. Connect Attacks to Outcomes:
• Link DHCP spoofing to man-in-the-middle attacks
• Understand how modified DNS settings can lead to pharming attacks

5. Prevention Scenarios:
• For prevention questions, remember the hierarchy of controls:
• DHCP snooping is the primary defense
• Port security and DHCP rate limiting are supplementary

6. Practical Perspective:
• Think about real-world implications and scenarios
• Consider the attack from both offensive and defensive perspectives

When facing exam questions, read carefully to identify whether they're asking about starvation or spoofing attacks. Look for keywords like "IP exhaustion" (starvation) or "malicious configuration" (spoofing). Remember that mitigation strategies differ based on the specific attack type. If unsure, eliminate obvious wrong answers first by checking technical accuracy.