Assignment 3-1: DHCP Security Assignment
Introduction:
Dynamic Host Configuration Protocol (DHCP) is used to assign IP addresses to devices on a network. DHCP is used so that users and network administrators don’t have to set the IP addresses for each device manually. If a device is moved within a network, DHCP is responsible for assigning it a new IP address. In addition to assigning IP addresses, DHCP also assigns configuration parameters to such as DNS, subnet masks, and default gateways. DHCP assigns IP addresses with a DORA (discover, offer, request and acknowledge). When a device joins a network it will broadcast the DHCP Discover message. When DHCP servers receive the message they respond to the device with a DHCP offer message which includes an multiple IP addresses (and other configuration parameters that were mentioned before). The device then selects the IP address it wants and sends a DHCP request message back to the server. The server will then back a DHCP ackonledege message that contains the final confirmed IP addressed and configuration details. The IP address is then most likely given a lease, in which the client can renew if they need to. In order to facilitalte the DORA communication, a DHCP relay agent must be installed to forward DHCP messages between a client and a server. While DHCP is a great system that is used to make network management easier and more efficient, it is also susceptible to many attacks, which are outlined below:
Security Issue 1: DHCP Starvation Attack
In a DHCP starvation attack a large number of DHCP discover requests with spoofed MAC addresses are sent to the DHCP server in order to consume all available IP addresses. Consequently, this leads to a denial of service, as legitimate network devices are not able to obtain IP addresses and connect to the network. For this attack, there has to be a constant stream of DHCP discover requests being sent to the server, as the IP addresses are not fully obtained unless the device completes the full DORA communication.
The best way to prevent this attack is to configure ports on a switch to have one or a defined number of MAC addresses. This blocks new or many DHCP discover requests being sent to the server.
Security Issue 2: DHCP Spoofing
In a DHCP spoofing attack, the atttacker creates a fake DHCP server on a network to provide IP addresses to clients. A DHCP starvation attack is often performed before a DHCP spoofing attack, to disable the legitable DHCP server. This attack is possible since DHCP has no authentication options. The reason for this attack is normally to force clients to use an attackers machine as their default gateway. The best way to prevent DHCP spoofing is with DHCP snooping. This is a method where ports on a switch are set in two states, trusted and untrusted. If the port is set to trusted, it can receive DHCP responses, but if it set to untrusted, it won’t. If an attacker attempts to enter an untrsuted port, that port will be disabled. Switches that allow DHCP snooping have ports that are set to untrsuted by default.
Security Issue 3: Relay Attacks
DHCP replay agents are devices that forward DHCP messages between network segments. In a DHCP relay attack, and attacker bypasses the security controls of a DHCP server with a compromised DHCP relay agent injects malicious DHCP messages into segments of the network. In order to monitor traffic on segmented networks, logging should be set up, so that analyst may be able to catch the malicious agent before it does too much damage. Additionally, a firewall can monitor and filter traffic, potentially blocking the agent from being compromised in the first place.
Sources:
https://www.akamai.com/glossary/what-is-dhcp
https://www.geeksforgeeks.org/dhcp-relay-agent-in-computer-network/
https://www.prosec-networks.com/en/blog/dhcp-starvation-attack/
https://howdoesinternetwork.com/2012/prevent-dhcp-server-spoofing
Last updated