DHCP Starvation (DOS Attack - Penetration Testing) - Example Demonstration with Kali ~ Let's Explain

DHCP Starvation is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously.

I had showed my topology in the above snap, As you can see I have a router that acts as the DHCP server and a Kali linux 2.0 machine which is connected to the same network. The same steps can be followed to hack a Windows or a Linux DHCP server also. This is how my router's DHCP binding looks before the attempt,

Router (Before Attack)

R1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
R1#

I used yersinia tool to perform the attack, this yersinia comes in built to your Kali operating system. Open terminal, type 'yersinia -G' and press enter.

Click on 'Launch Attack'. Select the tab 'DHCP' and check the second box 'sending DISCOVER packet' and press OK. Within seconds, hundreds of DHCP requests will be sent and the router will be busy handling all our requests and won't be able to handle IP addresses to genuine users. Below logs are taken after the attack,

Router (After Attack)

R1#sh ip dhcp binding 
% The DHCP database could not be locked. Please retry the command later.
R1#

Router couldn't respond, I had taken the below output after 10 mins.

R1#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
120.0.0.4           3669.9348.85d1          Mar 01 2002 12:20 AM    Automatic
120.0.0.5           7add.b556.f179          Mar 01 2002 12:20 AM    Automatic
120.0.0.6           347b.0c74.8013          Mar 01 2002 12:20 AM    Automatic
120.0.0.7           f976.c10d.205f          Mar 01 2002 12:20 AM    Automatic
120.0.0.8           b2de.b66b.5b30          Mar 01 2002 12:20 AM    Automatic
120.0.0.9           32cd.4b14.c1f7          Mar 01 2002 12:20 AM    Automatic
120.0.0.10          d0fd.bd17.a548          Mar 01 2002 12:20 AM    Automatic
120.0.0.11          e4be.180a.3fbd          Mar 01 2002 12:20 AM    Automatic
120.0.0.12          559b.e206.ffd0          Mar 01 2002 12:20 AM    Automatic
120.0.0.13          4e64.0231.a81d          Mar 01 2002 12:20 AM    Automatic
120.0.0.14          ac61.c36b.8931          Mar 01 2002 12:21 AM    Automatic
120.0.0.15          763d.5c2f.0d07          Mar 01 2002 12:21 AM    Automatic
120.0.0.16          d738.1831.3ffa          Mar 01 2002 12:21 AM    Automatic
120.0.0.17          0f64.dc31.3bfd          Mar 01 2002 12:21 AM    Automatic
120.0.0.18          beae.bf51.f15b          Mar 01 2002 12:21 AM    Automatic
120.0.0.19          b511.3b23.4732          Mar 01 2002 12:21 AM    Automatic
120.0.0.20          e682.902a.2069          Mar 01 2002 12:21 AM    Automatic
120.0.0.21          d253.6658.b71c          Mar 01 2002 12:21 AM    Automatic
120.0.0.22          11ed.8f0f.f330          Mar 01 2002 12:21 AM    Automatic
 --More--

As you can see, all the IPs are assigned to Kali's duplicate DHCP requests. To stop the attack, click on 'List attackts' and Cancel all attacks.

Mitigation

To secure our network from this attack, we have two options.

1) DHCP Snooping
2) Port Security

Cisco IOS Mitigation

To enable DHCP Snooping on a Cisco IOS switch, follow these steps:

switch(config)# ip dhcp snooping
!Enables DHCP Snooping globally!
switch(config)# ip dhcp snooping vlan <vlan_id> {,<vlan_id>}
!Enables DHCP Snooping for Specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Sets the interface to trusted state; can then pass DHCP replies!
switch(config-if)# ip dhcp snooping limit rate <rate>
!Sets rate limit for DHCP Snooping!

To know more about DHCP snooping, visit http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Cisco CatOS Mitigation

To mitigate DHCP Starvation attacks with port security on CatOS, use the following:

set port security 5/1 enable
set port security 5/1 port max 1
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity

Anonymous16 October 2015 at 09:21
Awesome! Thank you so much for this easiest tutorial :)
Anonymous3 March 2016 at 21:43
thank you awsome post
mangsadut.com20 April 2016 at 19:06
Your reviews are very interesting and admirable, good luck always friend
http://www.kangalip.com/
rakibhr27 December 2019 at 04:29
I am thankful for the article post.Looking forward to visit more.
Thanks dear For your Nice Post . It's Was Amazing! Friend I have Blog About Microsoft office setup .
If anyone interested to setup office please Visit My Blog. I will be apprised.

shor discription About my blog here :

office.com/setup : At the point when we are working or
serve the client just one in our mind that is "Consumer loyalty". We think each agents believing resembles as we have and
we are continually hoping to improve our capacity to address the issue of our customers.
We have huge number of trucks and other development gear to take the necessary steps in a great way and our trustworthiness, workplace and advancement to take the organization on high.
At the point when each client really fulfilled , then individuals says that is the privilege choice.For More : office.com/setup
\ Microsoft office setup
Best Regards

Microsoft office setup | www.office.com/setup |

norton.com/setup | Buy Google Voice Account |
office.com/setup | Microsoft office setup
Government Jobs in Kerala9 June 2022 at 21:24
A must read post! Good way of describing and pleasure piece of writing. Thanks!
apsu ba 2nd year result 2021 subject wise
uniraj bsc 3rd year result 202116 July 2022 at 12:45
Amazing or I can say this is a remarkable article.

Let's Explain

Monday 5 October 2015