DHCP Security Analysis
Dallas Holmes / Matt MacClary
ECE 478 Project
Spring 2003
What is DHCP?
•
•
•
•
•
•
Dynamic Host Configuration Protocol
UDP protocol for IP
Discovery Based
Ratified by the IETF in 1997
Used on most networks
OSU utilizes DHCP heavily
Why use DHCP?
•
•
•
•
Simple host configuration
“Plug and Surf”
Centralized address accounting
Distribution of vital host information
– Hostname, DNS, WINS, Gateway, etc.
3 Significant Problems
1. Discovery based
–
Any host can respond to query
2. No server authentication
–
client trusts any server that responds
3. No client authentication
–
server may assign an address to any client
Problem 1: Anybody can answer
•
Anybody?
–
–
•
An attacker could place a “rouge” server
Authoritative (legitimate) server.
Who will the client listen to?
–
Logically “closest” server
•
•
fastest CPU, fastest network, lowest load
Server with free leases
Changing “logically closest”
• Load the authoritative DHCP server
• Take all the leases away
• Load the network segment
How much does it take?
Problem 2: Server Authentication
• Client must trust what the server sends
• Server can send fake DNS servers
– client may be shown a misleading resource
– client may be denied access to a resource
• Server can send invalid gateway address
– Attacker could redirect switched traffic
– Loss of privacy
Which is Real?
Real Login Screen
Fake Login Screen
Problem 3: Host Authentication
• Any client may join network
– Simply plug in and server assigns address
– Some networks configure network trust (MAC)
• Client may gain access to network shares
• Client may abuse network
– Start a rouge DHCP server
– Generate heavy traffic or attack other networks
Solution
• SSL Style Public 3rd Party Certificate Authority
– Two-way authentication
• Server Certificate
• Client Certificate
– Requires changes to DHCP server and client
• Slow to implement and gain acceptance
• Expensive
– Certificates cost money
– Changing server configurations costs money