Countermeasures to DHCP Burnout Attacks
The band-aid to the aboriginal blazon of DHCP advance (DoS by avaricious the absolute accessible scope
of addresses) depends on the hacker’s ability of the protocol. By default, DHCP
starvation accoutrement use a accidental antecedent MAC abode every time they appeal a new IP address
from the DHCP server (one new MAC per DHCPDISCOVER). Identifying this blazon of
attack is straightforward: A abrupt access in the cardinal of dynamically abstruse MAC
addresses from a accustomed LAN anchorage is a bright indication. Beneath accustomed circumstances, there
should be no added than one or two MAC addresses dynamically abstruse per LAN port.
When application IP telephony solutions, it’s accessible to see up to three addresses for a short
duration. For example, back a Cisco IP buzz is acquainted into a anchorage and a host (a PC or
laptop) is anon affiliated to the phone, up to three MAC addresses can arise on the
port. The phone’s MAC abode appears briefly in the abstracts VLAN so that the switch
and the buzz can barter Cisco Discovery Agreement (CDP) packets.
The IP buzz and about-face use CDP for automated articulation and abstracts VLAN assignment. After
the VLAN agreement is complete, the phone’s MAC abode appears in the articulation VLAN.
The host’s MAC abode ancestor up in the abstracts VLAN.
94 Chapter 5: Leveraging DHCP Weaknesses
If you see an abnormal bulk of addresses on a port, you’re apparently beneath advance (either a
vulgar MAC-address flood or a DHCP burnout attack). Fortunately, the countermeasure,
known as anchorage security, is simple and efficient.