DHCP Starvation, a problem on public networks

skull-crossbones

DHCP starvation, its an easy way to deny real users on a network. DHCP starvation occurs when an attacker runs a script that constantly spoofs a hardware address and requests DHCP leases.

If enough requests flooded onto the network, the attacker can completely exhaust the address space allocated by the DHCP servers for and indefinite period of time. Clients of the victim network are then starved of the DHCP resources, thus DHCP starvation call be classified of a DOS attack.

If the attacker was really malicious they could setup their own DHCP server and perform man in the middle attacks or set their machine as the default gateway and sniff packets. You could even run a fake DNS server and redirect people to a look a like site. DHCP starvation is easy and gives an attacker a lot of power.

How to mitigate

Enable DHCP Snooping on your switches. Cisco has a DHCP snooping feature built in the IOS.  Think of DHCP snooping as a MAC filtering application. Only authorized clients will be given a DHCP lease. Although this may be troublesome on a public network, this is the best solution.

And as always if you absolutely must use a Public network for access please use a VPN, openDNS, and wear a rubber.

Force traffic though a VPN

For the past couple of days I have been working on a simple but complicated project. Here is the back story…

I connect to a public VPN to keep my torrent traffic hidden and private. One day when I came home I found that the VPN tunnel was reset, probably a server reboot on the other end, and my torrent client defaulted to the direct internet connection on my PC. Well that scared me and I thought how often would that happen and if there was a way to force traffic though a certain path, simple right?

I created a Virtual Server that has Two NICS. One is on a private network, 192.168.0.1/24 and the other is on my normal network with direct internet access. This Virtual Server will connect to the VPN from now on.

On my desktop I have two NICS, one on the 192.168.0.1/24 network and the other on my normal network. I can ping the Virtual Server on both IPs.

The reason I used 192.168.0.1/24 is because I am going to use a cheap trick with ICS. I was trying to route like a real man by using a virtual router, pfsense, on a 10.0.20.0/16 network but if you go that route you will find that network traffic can leak over since your one of the hosts will have a default gateway that will reach the internet.

Incase you want to go this route here is a VBS script that will sever any ‘default’ connection if the VPN fails. It uses ping to access the status of the VPN. If you want to be a more than crappy script then use if states and write the damn thing in python, I for one just wrote something that ‘works’.  Basically the script pings a server to see if its up. If the server address fails then an event is executed. You can set this up to send emails or even modify the PSU voltage so that your server will literally catch fire.

‘Monitor a Network Host, if down kill if
‘Tom Schaefer V1.0
Rem Runs Ping command, outputs results to text file.
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = WScript.CreateObject("Wscript.Shell")
strComputer = "."
strCommand = "ping -n 1  -w 999 192.168.1.96"
strResults=""
while not InStr(1,StrResults,"Request timed out.")>0
‘while not InStr(1,StrResults,"Reply from 192.168.1.1: Destination host unreachable.")>0
    wscript.sleep 30000 ‘ 30000=30seonds – when the script is first run, no ping for first thirty seconds
    Set objExecObject = objShell.Exec(strCommand)
    Do While Not objExecObject.StdOut.AtEndOfStream
        strResults = objExecObject.StdOut.ReadAll()
    Loop
wend
strText = strText & strResults
Rem Event is called
Set objFile = objFSO.CreateTextFile("C:\Documents and Settings\Administrator\Desktop\PingFailed.txt")
objFile.Write strText
objFile.Close

Rem Shutdown the system or Send an Email!
Rem For Running executables – SrA Schaefer

Dim WshShell,oExec
Set WshShell = wscript.createobject("wscript.shell")

            ‘Set oExec = WshShell.Exec("calc.exe") ‘<- for teting
            Set oExec = WshShell.Exec("netsh.exe interface set interface ""Local Area Connection"" DISABLED")  
Rem Renames text file with time and date

 

Simple Script right.

So since that method wasn’t working is the most secure way I wanted, I decided to force traffic though the VPN.

On your remote VPN client, which is my Virtual Server, setup your VPN and go to properties. Under ICS enable ICS and choose the NIC that you assigned 192.168.0.1 to.

ICSNow on a NIC on the end user client like your desktop assign it the address of 192.168.0.2/24. You may now connect to the VPN and 100% of traffic will be forced though that VPN, as long as you kill any other NICS on your clients. This is perfect because you can setup a DHCP server and hand out these addresses. This would be easily doable for a domain environment but I would not use this method for more than 50 clients.  

For 50 or more clients you should route with a virtual router, like pfsense, and setup static routes to the VPN default gateway. Be careful the VPN default gateway can change.

For the readers wanting to do this Torrent traffic its really easy to do this with VUZE since you can bind to a specific if. No longer will I have to worry about the VPN failing because if it does then all torrent traffic, and all traffic on that network, dies.