Exercise 16: DHCP Starvation Attack

Objective

Simulate a DHCP starvation attack to understand its impact on a network and implement mitigation strategies using DHCP snooping.

Scenario

As a cybersecurity analyst, you are tasked with evaluating your organization’s network resilience against common network attacks. One such attack is the DHCP starvation attack, where an attacker floods the DHCP server with bogus requests, exhausting its IP address pool and preventing legitimate devices from obtaining IP addresses. In this exercise, you will simulate this attack and implement mitigation using DHCP snooping.

⚠️ Important: Perform this exercise only in a legal and controlled lab environment. Unauthorized network attacks are illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

• DHCP Server: A Linux or Windows machine providing dynamic IP addresses.
• Attacker Machine: A Linux system with dhcptest or Yersinia installed.
• Victim Machine: A device that will attempt to obtain a legitimate IP address.
• Managed Switch: Configurable for DHCP snooping.

Step 2: Install DHCP Starvation Tool

On the Attacker Machine, install dhcptest:

sudo apt update
sudo apt install dhcping -y
sudo git clone https://github.com/insidetrust/statics.git
cd statics/dhcp-test/
chmod +x dhcp-test.py

Step 3: Launch the DHCP Starvation Attack

Run the attack to flood the DHCP server with requests:

sudo python3 dhcp-test.py -i eth0 -n 1000

-i eth0: Network interface to use.

-n 1000: Number of requests to send.

Step 4: Observe the Impact

On the Victim Machine, attempt to obtain an IP address:

Linux/macOS:

sudo dhclient -v

Windows:

ipconfig /release 
ipconfig /renew

The DHCP server should be unable to assign an IP due to the exhausted pool.

Step 5: Mitigate with DHCP Snooping

Access the Managed Switch configuration interface.

Enable DHCP snooping globally:

configure terminal 
ip dhcp snooping

Enable DHCP snooping on trusted interfaces (e.g., the port connected to the DHCP server):

interface fa0/1 
ip dhcp snooping trust

Enable DHCP snooping on untrusted ports (default behavior):

interface range fa0/2 - 24 
ip dhcp snooping limit rate 5

Verify DHCP snooping is active:

show ip dhcp snooping

Step 6: Verify Mitigation

Restart the DHCP server if necessary:

sudo systemctl restart isc-dhcp-server

On the Victim Machine, request a new IP address:

sudo dhclient -v

The Victim Machine should now successfully receive an IP address.

Attempt to re-launch the attack on the Attacker Machine and observe that DHCP snooping blocks unauthorized DHCP requests.

Solution & Explanation

How a DHCP Starvation Attack Works

• Flooding Requests: The attacker floods the DHCP server with bogus DHCP discovery requests using spoofed MAC addresses.
• Exhausted Pool: The server runs out of available IP addresses, preventing legitimate devices from connecting to the network.

Impact of the Attack

• Denial of Service (DoS): Devices cannot obtain network connectivity.
• Rogue DHCP Servers: Attackers may introduce unauthorized DHCP servers to control network configurations.

DHCP Snooping Mitigation

• Trusted Ports: Only trusted devices can send DHCP responses.
• Rate Limiting: Limits the number of DHCP requests per second to prevent flooding.
• Unauthorized Device Blocking: Blocks DHCP messages from untrusted ports.

Testing & Verification

Confirm that after enabling DHCP snooping, the Victim Machine successfully obtains an IP address.

Verify that the Attacker Machine cannot flood the DHCP server.

Check DHCP snooping logs on the switch:

show ip dhcp snooping binding 
show ip dhcp snooping database

Security Best Practices

1. Enable DHCP Snooping: Prevents rogue devices from exhausting IP addresses.
2. Implement Port Security: Limits the number of allowed MAC addresses on switch ports.
3. Use Dynamic ARP Inspection (DAI): Protects against ARP spoofing in conjunction with DHCP snooping.
4. Network Segmentation: Isolate critical devices on separate VLANs to reduce attack surfaces.

Additional Script (Optional)

Automate DHCP snooping configuration on Cisco switches:

#!/bin/bash
# Enable DHCP Snooping Globally
configure terminal
ip dhcp snooping

# Trust the DHCP server port
interface fa0/1
ip dhcp snooping trust

# Limit rate on all other ports
interface range fa0/2 - 24
ip dhcp snooping limit rate 5

# Save configuration
end
write memory

Conclusion

In this exercise, you simulated a DHCP starvation attack to understand its impact on network availability. You successfully implemented DHCP snooping on a managed switch to mitigate the attack and verified that legitimate devices could obtain IP addresses. This highlights the importance of securing DHCP infrastructure to protect against network disruptions.