Cyber Security Awareness Month - Day 6 ports 67&68 udp - bootp and dhcp
DHCP is a very commonly used protocol for the automatic assignment of TCP/IP configuration options. DHCP is defined in RFC 2131. "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCPIP network. DHCP is based on the Bootstrap Protocol (BOOTP) [7], adding the capability of automatic allocation of reusable network addresses and additional configuration options [19]. DHCP captures the behavior of BOOTP relay agents [7, 21], and DHCP participants can interoperate with BOOTP participants [9]." DHCP extensions for IPv6 is defined in RFC 3315.
Common values include:
- IP address
- Subnet mask
- Default gateway (router)
- DNS servers
- DNS domain name
- Lease time
- 802.1Q VLAN ID
- 802.1P L2 Priority
- Bootfile-Name
- TFTP Server IP address
DHCP is not without its issues, here are some of them:
- DHCP is a UDP based protocol and is easily spoofed
- DHCP lease exhaustion/starvation Denial of Service attacks
- Rogue DHCP server responding to clients, the sky is the limit with this attack
- Spoofed RELEASE packets Denial of Service attacks
- DISCOVER and REQUEST are broadcast, everyone hears them and anyone can respond
- No concept of authentication
- Unless Layer2 security is enforced rogue clients get a lease too
- Assigning rogue DNS server IPs to clients, allowing pharming attacks among others
- Vulnerabilities in the DHCP client, some allowing remote arbitrary code execution
- Vulnerabilities in the DHCP service, some allowing remote arbitrary code execution
Please contact us if you have any comments or would like to add to this diary entry.
A reader wrote in "PiXiE uses Wake-On-LAN to turn on machines after they power down, then feeds them a rootkit over BOOTP when they try to network boot (many systems automatically try network boot when woken-on-LAN." A presentation can be found here: PiXiE: A Self-Propagating Network Boot Virus for Windows
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments