DHCP Starvation Attack and its Detection

Slides:



Advertisements
Similar presentations
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Advertisements

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
System Configuration: DHCP and Autoconfiguration Chapter 6.
Dynamic Host Configuration Protocol (DHCP)
RFC 2131 DHCP. Dynamic Host Configuration Protocol.
Lesson 11: Deploying and Configuring the DHCP Service
DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
Johns Hopkins DHCP/DNS Lunch and Learn Presenters:  Gilbert Agyapong  Alan Shackelford.
1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:
Chapter Overview Understanding DHCP Configuring a DHCP Server
Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 4: Dynamic Host Configuration Protocol.
DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.
DHCP Dynamic Host Configuration Protocol CIS 856: TCP/IP and Upper Layer Protocols Presented by Kyle Getz October 20, 2005.
1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 16 Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP)
DHCP Training.
© NOKIADEFAULT.PPT / / AO page: 1 IP in LANs.
1 Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about dynamic assignment of IP addresses with DHCP.
Implementing Dynamic Host Configuration Protocol
DHCP Dynamic Host Configuration Protocol Zhiqi Chen April 12, 2006.
Configuring DNS and DHCP Chapter 20 powered by DJ 1.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP). History Diskless workstations –needed to know configuration parameters like IP address, netmask, gateway address.
DHCP Dynamic Host Configuration Protocol (RFC 2131) Michael Sadowsky CISC University of Delaware October 12, 2004 BOOTP Bootstrap Protocol (RFC.
Wednesday, December 04, Dynamic Host Configuration Protocol CSI 5321 Presented by Junaid Taqui.
1 CS 4396 Computer Networks Lab Dynamic Host Configuration Protocol (DHCP)
1 of 18 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0: Module 1; 1.2.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
BAI513 - PROTOCOLS DHCP BAIST – Network Management.
DHCP/BOOTP Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically.
BZUPAGES.COM BOOTP and DHCP The Bootstrap Protocol (BOOTP) is a client/server protocol that configures a diskless computer or a computer that is booted.
Dynamic Host Configuration Protocol Avanthi Koneru Uttara Sawant Srikanth Palla.
Chapter 17 BOOTP and DHCP.
Chapter 18 Host Configuration : DHCP
Dynamic Host Configuration Protocol DHCP. History Created October 1993 RFC 1541 Succeeded BOOTP, RARP & ARP Updated March 1997 RFC 2131.
1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.
CIS 856: TCP/IP and Upper Layer Protocols Karthik Ravindra Nov 11, 2008 Dynamic Host Configuration Protocol [DHCP] - RFC 2131.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol.
Dynamic Host Configuration Protocol (DHCP) DHCP provides a temporary IP address for a limited period of time DHCP has two databases. First one has static.
BAI513 - PROTOCOLS DHCP BAIST – Network Management.
Configuring and Managing the DHCP Server Role. DHCP overview RARP – one of the first ways to assign addresses BOOTP – Another legacy way to assign addresses.
1 Kyung Hee University Chapter 16 Host Configuration : BOOTP and DHCP.
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP)
Scaling the Network: Subnetting and Protocols
Scaling the Network: Subnetting and Other Protocols
Instructor Materials Chapter 8: DHCP
Dynamic Host Configuration Protocol
Scaling the Network Chapters 3-4 Part 2
Configuring and Troubleshooting DHCP
Dynamic Host Configuration Protocol (DHCP)
Net 431 D: ADVANCED COMPUTER NETWORKS
Chapter 18 Host Configuration : DHCP
Ana Maria Chanaba Robert Huylo
Chapter 16 Host Configuration : BOOTP and DHCP
DHCP and NAT.
DHCP Dynamic Host Configuration Protocol
Scaling the Network: Subnetting and Other Protocols
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
Overview Multimedia: The Role of DHCP in the Network Infrastructure
IIT Indore © Neminath Hubballi
Configuring Cisco 2650 Router By John Teissonniere Manny Jacome
Chapter 18 Host Configuration : DHCP
Dynamic Host Configuration Protocol (DHCP)
Chapter 5: Link Layer 5.1 Introduction and services
Presentation transcript:

DHCP Starvation Attack and its Detection Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Contents Dynamic Host Configuration Protocol (DHCP) attacks Exploiting client side and server side IP conflict detection Proposed Technique to detect these attacks IIT Indore © Neminath Hubballi

Exchange of Messages IIT Indore © Neminath Hubballi DHCP Server LAN DHCP Client Initialization Begins 1. Client broadcasts a DHCPDISCOVER message Determines Configuration 2. Server unicasts a DHCPOFFER message to offer an IP address to client Selects configuration 3. Client broadcasts a DHCPREQUEST message to accept the offered IP. Commits Configuration 4. Server unicasts a DHCPACK message to supply additional network configuration information to client. IIT Indore © Neminath Hubballi Initialization Complete

IIT Indore © Neminath Hubballi Few Other Messages DHCPNAK DHCPDECLINE DHCPRELEASE DHCPINFORM IIT Indore © Neminath Hubballi

Message Structure Common Message Format for all DHCP Messages IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Normal DHCP Operation IIT Indore © Neminath Hubballi

DHCPDISCOVER (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff, Normal DHCP Operation I am new to this network so I should broadcast a DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Other Client 10.200.1.2 18:03:73:a1:b2:c4 Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Normal DHCP Operation DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP=10.200.1.1, DstIP=10.200.1.4, yiaddr=10.200.1.4, siaddr=10.200.1.1, chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer 10.200.1.4 by unicasting a DHCPOFFER message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 -- Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

Normal DHCP Operation DHCP Client 18:03:73:a1:b2:c3 DHCP Server I have been offered an IP address. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC=18:03:73:a1:b2:c3, SrcIP=0.0.0.0, DstIP=255.255.255.255, DstMAC=ff:ff:ff:ff:ff:ff, siaddr=10.200.1.1, chaddr=18:03:73:a1:b2:c3 DHCP option 50: 10.200.1.4 requested DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Other Client 10.200.1.2 18:03:73:a1:b2:c4 Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Normal DHCP Operation DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP=10.200.1.1, DstIP=10.200.1.4, yiaddr=10.200.1.4, siaddr=10.200.1.1, chaddr=18:03:73:a1:b2:c3 DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPREQUEST message for 10.200.1.4. Let me unicast a DHCPACK message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 18:03:73:a1:b2:c3 -- Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 -- Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

I received DHCPACK message. Now I can use 10.200.1.4 as my IP address. Normal DHCP Operation I received DHCPACK message. Now I can use 10.200.1.4 as my IP address. DHCP Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Other Client 10.200.1.2 18:03:73:a1:b2:c4 Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

Classical DHCP Starvation Attack To launch the attack, I should broadcast multiple DHCPDISCOVER messages using spoofed random MAC addresses DHCPDISCOVER (Broadcast) SrcMAC=aa:aa:aa:aa:aa:aa, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Other Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

DstMAC=aa:aa:aa:aa:aa:aa, DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=aa:aa:aa:aa:aa:aa, SrcIP=10.200.1.1, DstIP=10.200.1.5, Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer 10.200.1.5 by unicasting a DHCPOFFER message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 18:03:73:a1:b2:c3 -- Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server One IP address is offered for “aa:aa:aa:aa:aa:aa”. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC= aa:aa:aa:aa:aa:aa, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Other Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

DstMAC= aa:aa:aa:aa:aa:aa, DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC= aa:aa:aa:aa:aa:aa, SrcIP=10.200.1.1, DstIP=10.200.1.5, Malicious Client 10.200.1.4 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPREQUEST message for 10.200.1.5. Let me unicast a DHCPACK message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 18:03:73:a1:b2:c3 10.200.1.5 aa:aa:aa:aa:aa:aa -- Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 18:03:73:a1:b2:c3 -- Other Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

DHCPDISCOVER (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff, Exploiting DHCP Client-side IP Address Conflict Detection: An Induced DHCP Starvation Attack I am new to this network so I should broadcast a DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCPOFFER (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP=10.200.1.1, DstIP=10.200.1.4, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. I am going to offer 10.200.1.4 by unicasting a DHCPOFFER message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 -- Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

DHCPREQUEST (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff, I have been offered an IP address. Now I should broadcast a DHCPREQUEST message for the offered IP. DHCPREQUEST (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCPACK (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c3, SrcIP=10.200.1.1, DstIP=10.200.1.4, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I received a DHCPREQUEST message for 10.200.1.4. Let me unicast a DHCPACK message back to the client. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 18:03:73:a1:b2:c3 -- Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 -- Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

ARP Request (Broadcast) I received DHCPACK message. Now I should check if the allotted IP address is already in use. ARP Request (Broadcast) Who has IP 10.200.1.4? Tell your MAC address DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 ARP Reply (Unicast) I have IP 10.200.1.4 My MAC is 18:03:73:a1:b2:c5 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

DHCPDECLINE (Broadcast) DstMAC=ff:ff:ff:ff:ff:ff, Someone is already using 10.200.1.4. I must broadcast a DHCPDECLINE message to refuse allotted IP address DHCPDECLINE (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 DHCPDECLINE message received for 10.200.1.4. I must mark this IP address as unavailable for the lease time. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 Not available -- Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

Exploiting DHCP Server-side IP Address Conflict Detection: A DHCP Starvation Attack I should broadcast DHCPDISCOVER message to get an IP address. DHCPDISCOVER (Broadcast) SrcMAC=18:03:73:a1:b2:c3, DstMAC=ff:ff:ff:ff:ff:ff, SrcIP=0.0.0.0, DstIP=255.255.255.255, DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 IIT Indore © Neminath Hubballi

ARP Request (Broadcast) Who has IP 10.200.1.4? Tell your MAC address DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 I am going to offer 10.200.1.4 but before offering it, let me check if any other client is already using this IP address. I received a DHCPDISCOVER message. Let me check the pool for available IP addresses. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 -- Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 ARP Reply (Unicast) I have IP 10.200.1.4 My MAC is 18:03:73:a1:b2:c5 Other Client 10.200.1.2 18:03:73:a1:b2:c4 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

ICMP Ping Request (Unicast) DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 ICMP Ping Request (Unicast) SrcMAC=18:03:73:b2:46:c6, DstMAC=18:03:73:a1:b2:c5, SrcIP=10.200.1.1, DstIP=10.200.1.4, Other Client 10.200.1.2 18:03:73:a1:b2:c4 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

ICMP Ping Reply (Unicast) DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 ICMP Ping Reply (Unicast) SrcMAC=18:03:73:b2:46:c5, DstMAC=18:03:73:a1:b2:c6, SrcIP=10.200.1.4, DstIP=10.200.1.1, Other Client 10.200.1.2 18:03:73:a1:b2:c4 Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DHCP Client 18:03:73:a1:b2:c3 DHCP Server 18:03:73:b2:46:c6 10.200.1.1 ICMP Ping Reply received. The IP address 10.200.1.4 is already in use. I must mark this IP address as unavailable for the lease time. Other Client 10.200.1.2 18:03:73:a1:b2:c4 Pool Status IP Address MAC address 10.200.1.2 18:03:73:a1:b2:c4 10.200.1.3 18:03:73:a1:b2:c5 10.200.1.4 Not Available -- Malicious Client 10.200.1.3 18:03:73:a1:b2:c5 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Related Work Existing methods can be categorized in 2 categories: Cryptographic Techniques such as [1] Rarely deployed due to high implementation cost. Requires intervention of network administrators. Not feasible for highly dynamic networks. Non cryptographic techniques Security Features in switches [2] Port Security, DHCP Snooping and Dynamic ARP Inspection (DAI) Using DHCP Relay Agent Information Option [3]. Monitoring DHCP Request Traffic Rate [4]. Fair Allocation based mitigation technique [5]. D. Dinu, M. Togan: DHCP Server Authentication using Digital Certicates. In: International Conference on Communications (ICC), pp. 1-6, (2014). Configuring DHCP. http://www.cisco.com/switches/catalyst6500/ios/122SX/configuration/guide/book/snoodhcp.html M. Patrick. DHCP Relay Agent Information Option. RFC 3046, 2001. OConnor, T.: Detecting and Responding to Data Link Layer Attacks. http://www.sans.org/readingroom/whitepapers/intrusion/detecting-responding-data-link-layer-attacks-33513 H. Mukhtar, K. Salah, and Y. Iraqi. Mitigation of DHCP Starvation Attack. Computers and Electrical Engineering, 38(5):1115–1128, 2012. IIT Indore © Neminath Hubballi

Detection of proposed attacks using Hellinger Distance Hellinger Distance (HD): Statistical abnormality measurement technique. Computes distances between two probability distributions, 𝑃and 𝑄. 𝑃and 𝑄are 𝑁 dimensional vectors and each vector component represents probability of an attribute. HD is given by equation: 𝑑 𝐻 always ranges from 0 to 1. IIT Indore © Neminath Hubballi

Detection using Hellinger Distance (contd.) Reasons behind choosing HD over other similar methods: Lightweight Computation. Natural Lower and Upper Bounds. Yielding finite distance values. IIT Indore © Neminath Hubballi

Detection using Hellinger Distance (contd.) Normal behavior of DHCP operation is treated as a distribution comprised of various events. Various DHCP messages have strong correlation between them. DISCOVER, OFFER, REQUEST and ACK DECLINE does not follow this fact. Reasons which may disturb this balance. Presence of DECLINE messages during induced DHCP starvation attack. Absence of all messages but DISCOVER while launching attack by exploiting server side conflict detection scheme. This change in observation can be exploited to detect the attacks. IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi

Detection using Hellinger Distance (contd.) Two phases of operation Training Phase Create normal behavior profile of DHCP operation over a period of 𝑛 observations. Each observation is of ∆𝑇=30 minutes. Generated profile contains 5 attributes DISCOVER, OFFER, REQUEST, ACK and DECLINE Probability of a particular message type, 𝑃 𝑖 , is estimated as: where 𝑁 𝑖 =Number of events of Type 𝑖, during 𝑛∗∆𝑇 𝑁 𝑡𝑜𝑡𝑎𝑙 =Total number of events of all type during 𝑛∗∆𝑇 IIT Indore © Neminath Hubballi

Detection using Hellinger Distance (contd.) Testing Phase After training, detect starvation attacks from 𝑛+1 𝑡ℎ interval of duration ∆𝑇 bb Each observation is of ∆𝑇=30 minutes. Generate Probability Distribution, 𝑄,every ∆𝑇 duration using previous eq. 𝑄 is now compared with 𝑃. If HD >δ (predefined threshold), raise the alarm. IIT Indore © Neminath Hubballi

Experimental Evaluation Training Data Collection: 2 days of normal DHCP traffic from departmental network having 43 clients. Probability Distribution of Training Data IIT Indore © Neminath Hubballi

Experimental Evaluation (contd.) Testing Data: One day DHCP traffic for testing purpose. Probability Distribution generated from testing Normal Interval IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Probability Distribution generated from testing Induced Attack Interval Probability Distribution generated from testing server-side exploitation based attack interval IIT Indore © Neminath Hubballi

Detection of Normal and Starvation Scenarios IIT Indore © Neminath Hubballi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.