Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Month - Day 6 ports 67&68 udp - bootp and dhcp - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 6 ports 67&68 udp - bootp and dhcp

DHCP is a very commonly used protocol for the automatic assignment of TCP/IP configuration options. DHCP is defined in RFC 2131. "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCPIP network. DHCP is based on the Bootstrap Protocol (BOOTP) [7], adding the capability of automatic allocation of reusable network addresses and additional configuration options [19].  DHCP captures the behavior of BOOTP relay agents [7, 21], and DHCP participants can interoperate with BOOTP participants [9]." DHCP extensions for IPv6 is defined in RFC 3315.

Common values include:

  • IP address
  • Subnet mask
  • Default gateway (router)
  • DNS servers
  • DNS domain name
  • Lease time
  • 802.1Q VLAN ID
  • 802.1P L2 Priority
  • Bootfile-Name
  • TFTP Server IP address

DHCP is not without its issues, here are some of them:

  • DHCP is a UDP based protocol and is easily spoofed
  • DHCP lease exhaustion/starvation Denial of Service attacks
  • Rogue DHCP server responding to clients, the sky is the limit with this attack
  • Spoofed RELEASE packets Denial of Service attacks
  • DISCOVER and REQUEST are broadcast, everyone hears them and anyone can respond
  • No concept of authentication
  • Unless Layer2 security is enforced rogue clients get a lease too
  • Assigning rogue DNS server IPs to clients, allowing pharming attacks among others
  • Vulnerabilities in the DHCP client, some allowing remote arbitrary code execution
  • Vulnerabilities in the DHCP service, some allowing remote arbitrary code execution

Please contact us if you have any comments or would like to add to this diary entry.

A reader wrote in "PiXiE uses Wake-On-LAN to turn on machines after they power down, then feeds them a rootkit over BOOTP when they try to network boot (many systems automatically try network boot when woken-on-LAN."  A presentation can be found here: PiXiE: A Self-Propagating Network Boot Virus for Windows

Adrien de Beaupré Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Oct 6th 2009
Now every switch supports dhcp snooping, preventing untrusted ports from answering bogus answers. With this option, what remains valid from your list?
Hi justme, most modern switches support a number of L2 and L3 defensive mechanisms. Not all locations have them enabled. In a number of organizations quite a few of these attacks remain devastatingly effective. IMHO. Cheers, Adrien
Adrien de Beaupre

353 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!