DHCP Security - The most overlooked service on the network

DHCP Service is the service which a lot of you use, whether you are aware of this or not. That is the service that delegates an IP address to hosts on the network when they are set-up for auto configuration. This service is extremely frequent on large corporate networks, but with the advent of Wi-Fi in So-Ho networks the DHCP service becomes more and more present in these environments.

Short description of DHCP
The Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateway, and other IP parameters. The DHCP protocol operates at the MAC sublayer of the Data-Link layer of the TCP/IP protocol stack. The only distinguishable identifier of the client computers at this level is the network interface MAC address.

When a DHCP client connects to a network, it will send a broadcast query trying to discover DHCP servers. Upon receiving response from the DHCP server, the client will send a broadcast requesting necessary information from a DHCP server.
Upon receipt of a valid request the server will assign the computer an IP address and other configuration parameters such as the subnet mask and the default gateway, and send these parameters to the requesting client. The DHCP server is configured to manage and lease a pool of IP addresses within a specific address range, according to the routing settings of the network, and the number of clients on the LAN segment.

The assigned parameters are 'leased' from the server, and when the 'lease' expires, the client must release assigned IP address and parameters effectively unconfiguring the network interface. To prevent this, the client will try to renew the 'lease', usually starting with the renewal requests at the half of the lease period.

Vulnerabilities that can be exploited in a DHCP service

  1. Rogue DHCP server - a very dangerous attack and a very easy one to set up. It involves creating your own DHCP server and connecting it on the network, with the intention of sending your parameters to the clients. The attacks of a rogue DHCP server to the clients can range from a simple denial of service (issuing non-routable ip addresses or wrong DNS information) to the very subtle issuing of rogue DNS server. With this second attack the attacker will set-up the clients to use his DNS server instead of the standard corporate one. His rogue DNS server can be then configured to direct users to fake copies of some sites, for the purpose of credential collection.
  2. DHCP denial of service - a simple attack to perform, but not too critical if used by itself. It involves placing a specially configured attack DHCP client which will request many DHCP leases with spoofed MAC addresses, effectively 'draining' the available pool of IP addresses from the DHCP server. If this happens, normal clients will not be able to obtain an IP address and use the network. This attack is usually combined with the previous one, in order to prevent the regular DHCP server from responding to the requests.
  3. DHCP routing attack - if a rogue or a compromised DHCP server returns the IP address of the hacker's machine as the default gateway, then all traffic from the local network will pass through this machine, and can be subject to traffic sniffing and reconstruction of TCP sessions, thus revealing user names, passwords, personal information etc.. And it is very very easy to set-up a computer to be a NAT router and forward all communication to the regular gateway, so no one will actually see any change on the network
  4. Compromise of the corporate DHCP server - the most difficult attack to perform and the most dangerous. It is quite difficult to achieve since the hacker needs to compromise an actual corporate server, which is often well protected by hardening and IDS systems. Once penetrated, the compromised DHCP server offers the entire set of attacks on clients described above, with the added benefit that this attack is very difficult to identify. There are no rogue DHCP servers on the network that the Net Admin can scan for, and at first glance business goes on as usual.

Securing of DHCP service

Securing the DHCP server is very difficult because it is designed to operate at a very low level, there are very few security controls that can be implemented for it:
  • Manually set-up DNS IP address on each client to a trusted DNS IP address - DNS servers are rarely changed so this is an excellent protection against rogue DNS server. On the other hand, it is a relatively cumbersome process.
  • Harden the operating system and procedures of the DHCP server and the DHCP relay agents - implement all available security patches; change all default passwords and maintain a rule to have complex and frequently changed passwords (This includes SNMP). Disable all unnecessary services and user names.
  • Implement procedural rules that ban the connection of outsider laptops on the corporate network - Write the procedures, and scan for rogue PC's on the network at frequent intervals; implement regular unannounced scanning for rogue DHCP servers on your network.
  • For Wi-Fi networks, use WPA2 encryption and perform patches and updates on the access points and routers.

Related posts
5 Rules to Home Wi-Fi Security

Further reading

DHCP service description on Wikipedia

Talk back and comments are most welcome


Anonymous said...

thanks for such nice Post


DarkSide said...

Thank you for the nice blog! I think when talking about DHCP Security is worth to mention feature which some vendor calls "DHCP snooping". It is very efficient method to improve L2 security. Also some other vendors have the same features with different name, I just haven't chance to test it.
Another good option is open source client called ArpON. The only drawback is that you need to install it in each client.

Designed by Posicionamiento Web