Cyber Security Awareness Month - Day 6 ports 67&68 udp - bootp and dhcp

Published: 2009-10-06
Last Updated: 2011-02-08 23:50:05 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

DHCP is a very commonly used protocol for the automatic assignment of TCP/IP configuration options. DHCP is defined in RFC 2131. "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCPIP network. DHCP is based on the Bootstrap Protocol (BOOTP) [7], adding the capability of automatic allocation of reusable network addresses and additional configuration options [19].  DHCP captures the behavior of BOOTP relay agents [7, 21], and DHCP participants can interoperate with BOOTP participants [9]." DHCP extensions for IPv6 is defined in RFC 3315.

Common values include:

  • IP address
  • Subnet mask
  • Default gateway (router)
  • DNS servers
  • DNS domain name
  • Lease time
  • 802.1Q VLAN ID
  • 802.1P L2 Priority
  • Bootfile-Name
  • TFTP Server IP address

DHCP is not without its issues, here are some of them:

  • DHCP is a UDP based protocol and is easily spoofed
  • DHCP lease exhaustion/starvation Denial of Service attacks
  • Rogue DHCP server responding to clients, the sky is the limit with this attack
  • Spoofed RELEASE packets Denial of Service attacks
  • DISCOVER and REQUEST are broadcast, everyone hears them and anyone can respond
  • No concept of authentication
  • Unless Layer2 security is enforced rogue clients get a lease too
  • Assigning rogue DNS server IPs to clients, allowing pharming attacks among others
  • Vulnerabilities in the DHCP client, some allowing remote arbitrary code execution
  • Vulnerabilities in the DHCP service, some allowing remote arbitrary code execution

Please contact us if you have any comments or would like to add to this diary entry.

A reader wrote in "PiXiE uses Wake-On-LAN to turn on machines after they power down, then feeds them a rootkit over BOOTP when they try to network boot (many systems automatically try network boot when woken-on-LAN."  A presentation can be found here: PiXiE: A Self-Propagating Network Boot Virus for Windows

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

2 comment(s)

Comments

Now every switch supports dhcp snooping, preventing untrusted ports from answering bogus answers. With this option, what remains valid from your list?
Hi justme, most modern switches support a number of L2 and L3 defensive mechanisms. Not all locations have them enabled. In a number of organizations quite a few of these attacks remain devastatingly effective. IMHO. Cheers, Adrien

Diary Archives