Presentation is loading. Please wait.

Presentation is loading. Please wait.

DHCP Starvation Attack and its Detection

Published byMitchell Carr Modified over 5 years ago

Similar presentations

Presentation on theme: "DHCP Starvation Attack and its Detection"— Presentation transcript:

1 DHCP Starvation Attack and its Detection
Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

2 IIT Indore © Neminath Hubballi
Contents Dynamic Host Configuration Protocol (DHCP) attacks Exploiting client side and server side IP conflict detection Proposed Technique to detect these attacks IIT Indore © Neminath Hubballi

3 Exchange of Messages IIT Indore © Neminath Hubballi DHCP Server
LAN DHCP Client Initialization Begins 1. Client broadcasts a DHCPDISCOVER message Determines Configuration 2. Server unicasts a DHCPOFFER message to offer an IP address to client Selects configuration 3. Client broadcasts a DHCPREQUEST message to accept the offered IP. Commits Configuration 4. Server unicasts a DHCPACK message to supply additional network configuration information to client. IIT Indore © Neminath Hubballi Initialization Complete

4 IIT Indore © Neminath Hubballi
Few Other Messages DHCPNAK DHCPDECLINE DHCPRELEASE DHCPINFORM IIT Indore © Neminath Hubballi

5 Message Structure Common Message Format for all DHCP Messages
IIT Indore © Neminath Hubballi

6 IIT Indore © Neminath Hubballi
Normal DHCP Operation IIT Indore © Neminath Hubballi

7 DHCPDISCOVER (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff,
Normal DHCP Operation I am new to this network so I should broadcast a DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Other Client 18:03:73:a1:b2:c4 Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

8 IIT Indore © Neminath Hubballi
Normal DHCP Operation DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP= , DstIP= , yiaddr= , siaddr= , chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer by unicasting a DHCPOFFER message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 -- Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

9 Normal DHCP Operation DHCP Client 18:03:73:a1:b2:c3 DHCP Server
I have been offered an IP address. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC=18:03:73:a1:b2:c3, SrcIP= , DstIP= , DstMAC=ff:ff:ff:ff:ff:ff, siaddr= , chaddr=18:03:73:a1:b2:c3 DHCP option 50: requested DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Other Client 18:03:73:a1:b2:c4 Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

10 IIT Indore © Neminath Hubballi
Normal DHCP Operation DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP= , DstIP= , yiaddr= , siaddr= , chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPREQUEST message for Let me unicast a DHCPACK message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 18:03:73:a1:b2:c3 -- Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 -- Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

11 I received DHCPACK message. Now I can use 10.200.1.4 as my IP address.
Normal DHCP Operation I received DHCPACK message. Now I can use as my IP address. DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Other Client 18:03:73:a1:b2:c4 Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

12 Classical DHCP Starvation Attack
To launch the attack, I should broadcast multiple DHCPDISCOVER messages using spoofed random MAC addresses DHCPDISCOVER (Broadcast) SrcMAC=aa:aa:aa:aa:aa:aa, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , Malicious Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Other Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

13 DstMAC=aa:aa:aa:aa:aa:aa,
DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=aa:aa:aa:aa:aa:aa, SrcIP= , DstIP= , Malicious Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer by unicasting a DHCPOFFER message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 18:03:73:a1:b2:c3 -- Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

14 Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server
One IP address is offered for “aa:aa:aa:aa:aa:aa”. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC= aa:aa:aa:aa:aa:aa, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , Malicious Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Other Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

15 DstMAC= aa:aa:aa:aa:aa:aa,
DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC= aa:aa:aa:aa:aa:aa, SrcIP= , DstIP= , Malicious Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPREQUEST message for Let me unicast a DHCPACK message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 18:03:73:a1:b2:c3 aa:aa:aa:aa:aa:aa -- Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 18:03:73:a1:b2:c3 -- Other Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

16 DHCPDISCOVER (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff,
Exploiting DHCP Client-side IP Address Conflict Detection: An Induced DHCP Starvation Attack I am new to this network so I should broadcast a DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

17 IIT Indore © Neminath Hubballi
DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer by unicasting a DHCPOFFER message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 -- Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

18 DHCPREQUEST (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff,
I have been offered an IP address. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

19 IIT Indore © Neminath Hubballi
DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I received a DHCPREQUEST message for Let me unicast a DHCPACK message back to the client. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 18:03:73:a1:b2:c3 -- Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 -- Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

20 ARP Request (Broadcast)
I received DHCPACK message. Now I should check if the allotted IP address is already in use. ARP Request (Broadcast) Who has IP ? Tell your MAC address DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

21 IIT Indore © Neminath Hubballi
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 ARP Reply (Unicast) I have IP My MAC is 18:03:73:a1:b2:c5 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

22 DHCPDECLINE (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff,
Someone is already using I must broadcast a DHCPDECLINE message to refuse allotted IP address DHCPDECLINE (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

23 IIT Indore © Neminath Hubballi
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 DHCPDECLINE message received for I must mark this IP address as unavailable for the lease time. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 Not available -- Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

24 Exploiting DHCP Server-side IP Address Conflict Detection: A DHCP Starvation Attack
I should broadcast DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP= , DstIP= , DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 Malicious Client 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

25 ARP Request (Broadcast)
Who has IP ? Tell your MAC address DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 I am going to offer but before offering it, let me check if any other client is already using this IP address. I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 -- Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

26 IIT Indore © Neminath Hubballi
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 ARP Reply (Unicast) I have IP My MAC is 18:03:73:a1:b2:c5 Other Client 18:03:73:a1:b2:c4 Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

27 ICMP Ping Request (Unicast)
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 ICMP Ping Request (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c5, SrcIP= , DstIP= , Other Client 18:03:73:a1:b2:c4 Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

28 ICMP Ping Reply (Unicast)
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 ICMP Ping Reply (Unicast) SrcMAC=18:03:73:b2:46:c5, DstMAC=18:03:73:a1:b2:c6, SrcIP= , DstIP= , Other Client 18:03:73:a1:b2:c4 Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

29 IIT Indore © Neminath Hubballi
DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 ICMP Ping Reply received. The IP address is already in use. I must mark this IP address as unavailable for the lease time. Other Client 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 18:03:73:a1:b2:c4 18:03:73:a1:b2:c5 Not Available -- Malicious Client 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

30 IIT Indore © Neminath Hubballi
Related Work Existing methods can be categorized in 2 categories: Cryptographic Techniques such as [1] Rarely deployed due to high implementation cost. Requires intervention of network administrators. Not feasible for highly dynamic networks. Non cryptographic techniques Security Features in switches [2] Port Security, DHCP Snooping and Dynamic ARP Inspection (DAI) Using DHCP Relay Agent Information Option [3]. Monitoring DHCP Request Traffic Rate [4]. Fair Allocation based mitigation technique [5]. D. Dinu, M. Togan: DHCP Server Authentication using Digital Certicates. In: International Conference on Communications (ICC), pp. 1-6, (2014). Configuring DHCP. M. Patrick. DHCP Relay Agent Information Option. RFC 3046, 2001. OConnor, T.: Detecting and Responding to Data Link Layer Attacks. H. Mukhtar, K. Salah, and Y. Iraqi. Mitigation of DHCP Starvation Attack. Computers and Electrical Engineering, 38(5):1115–1128, 2012. IIT Indore © Neminath Hubballi

31 Detection of proposed attacks using Hellinger Distance
Hellinger Distance (HD): Statistical abnormality measurement technique. Computes distances between two probability distributions, 𝑃and 𝑄. 𝑃and 𝑄are 𝑁 dimensional vectors and each vector component represents probability of an attribute. HD is given by equation: 𝑑 𝐻 always ranges from 0 to 1. IIT Indore © Neminath Hubballi

32 Detection using Hellinger Distance (contd.)
Reasons behind choosing HD over other similar methods: Lightweight Computation. Natural Lower and Upper Bounds. Yielding finite distance values. IIT Indore © Neminath Hubballi

33 Detection using Hellinger Distance (contd.)
Normal behavior of DHCP operation is treated as a distribution comprised of various events. Various DHCP messages have strong correlation between them. DISCOVER, OFFER, REQUEST and ACK DECLINE does not follow this fact. Reasons which may disturb this balance. Presence of DECLINE messages during induced DHCP starvation attack. Absence of all messages but DISCOVER while launching attack by exploiting server side conflict detection scheme. This change in observation can be exploited to detect the attacks. IIT Indore © Neminath Hubballi

34 IIT Indore © Neminath Hubballi

35 Detection using Hellinger Distance (contd.)
Two phases of operation Training Phase Create normal behavior profile of DHCP operation over a period of 𝑛 observations. Each observation is of ∆𝑇=30 minutes. Generated profile contains 5 attributes DISCOVER, OFFER, REQUEST, ACK and DECLINE Probability of a particular message type, 𝑃 𝑖 , is estimated as: where 𝑁 𝑖 =Number of events of Type 𝑖, during 𝑛∗∆𝑇 𝑁 𝑡𝑜𝑡𝑎𝑙 =Total number of events of all type during 𝑛∗∆𝑇 IIT Indore © Neminath Hubballi

36 Detection using Hellinger Distance (contd.)
Testing Phase After training, detect starvation attacks from 𝑛+1 𝑡ℎ interval of duration ∆𝑇 bb Each observation is of ∆𝑇=30 minutes. Generate Probability Distribution, 𝑄,every ∆𝑇 duration using previous eq. 𝑄 is now compared with 𝑃. If HD >δ (predefined threshold), raise the alarm. IIT Indore © Neminath Hubballi

37 Experimental Evaluation
Training Data Collection: 2 days of normal DHCP traffic from departmental network having 43 clients. Probability Distribution of Training Data IIT Indore © Neminath Hubballi

38 Experimental Evaluation (contd.)
Testing Data: One day DHCP traffic for testing purpose. Probability Distribution generated from testing Normal Interval IIT Indore © Neminath Hubballi

39 IIT Indore © Neminath Hubballi
Probability Distribution generated from testing Induced Attack Interval Probability Distribution generated from testing server-side exploitation based attack interval IIT Indore © Neminath Hubballi

40 Detection of Normal and Starvation Scenarios
IIT Indore © Neminath Hubballi

Download ppt "DHCP Starvation Attack and its Detection"

Similar presentations

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
System Configuration: DHCP and Autoconfiguration Chapter 6.

System Configuration: DHCP and Autoconfiguration Chapter 6.
Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)
RFC 2131 DHCP. Dynamic Host Configuration Protocol.

RFC 2131 DHCP. Dynamic Host Configuration Protocol.
Lesson 11: Deploying and Configuring the DHCP Service

Lesson 11: Deploying and Configuring the DHCP Service
DHCP (Dynamic Host Configuration Protocol) RD-CSY2001-2008/09.

DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.

Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
Johns Hopkins DHCP/DNS Lunch and Learn Presenters:  Gilbert Agyapong  Alan Shackelford.

Johns Hopkins DHCP/DNS Lunch and Learn Presenters:  Gilbert Agyapong  Alan Shackelford.
1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:

1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:
Chapter Overview Understanding DHCP Configuring a DHCP Server

Chapter Overview Understanding DHCP Configuring a DHCP Server
Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.

Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 4: Dynamic Host Configuration Protocol.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 4: Dynamic Host Configuration Protocol.
DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.

DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.
DHCP Dynamic Host Configuration Protocol CIS 856: TCP/IP and Upper Layer Protocols Presented by Kyle Getz October 20, 2005.

DHCP Dynamic Host Configuration Protocol CIS 856: TCP/IP and Upper Layer Protocols Presented by Kyle Getz October 20, 2005.
1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.

1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 16 Dynamic Host Configuration Protocol (DHCP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 16 Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP)
DHCP Training.

DHCP Training.
© NOKIADEFAULT.PPT / 22.08.1997 / AO page: 1 IP in LANs.

© NOKIADEFAULT.PPT / / AO page: 1 IP in LANs.

Similar presentations

Ads by Google