Fluke Networks’ AirMagnet Enterprise 9.0 in the only WIPS on the market to support an automated update capability for threat detection signatures, called Dynamic Threat Update (DTU). This allows all users’ systems to be updated in the background to detect the newest WLAN security problems.
Via a new threat signature update, AirMagnet Enterprise now has the ability to detect DHCP Starvation attacks.
Stopping DHCP Starvation Attacks
Wired and wireless networks use the Dynamic Host Control Protocol (DHCP) as an on-demand, as-needed way to allocate available IP addresses to clients. DHCP eliminates manual configuration while enabling shared use of a limited resource. Unfortunately, malicious clients can take advantage of DHCP to launch a denial of service (DoS) attack known as DHCP Starvation.
Using DHCP to DoS a network
Freely-available point-and-shoot hacker tools such as Yersina or Gobbler can easily launch a DHCP Starvation attack against any vulnerable network.
Consider a Wi-Fi hotspot that allocates IP addresses from the subnet 192.168.0.0/24. That hotspot can serve more than 250 users at once by assigning a unique address to each newly-connected DHCP client. These addresses are said to be leased because the network essentially loans IPs to clients, usually for a finite period – perhaps one hour or one day.
After every available IP address has been leased, the DHCP “pool” is exhausted. Even if other clients connect, they will be unable to lease an IP address to send TCP/IP traffic. The hotspot is therefore unavailable to new clients until existing leases expire or existing clients release addresses. As long as the pool is large enough and each client takes just one address, DHCP works well.
Unfortunately, DHCP cannot stop a single hacker from consuming the entire pool. A hacker need only generate a large number of spoofed DHCP requests, each sourced from a different MAC address. Tools like Yersina can easily generate and send hundreds of DHCP requests from random MAC addresses, thereby exhausting an address pool and starving other legitimate clients.
Using authentication to stop DHCP Starvation attacks
Note that a client must connect to a network before it can send DHCP requests (legitimate or otherwise). One basic way of stopping DHCP Starvation attacks is therefore to prevent hackers from connecting. In a wireless network, this can be done by requiring robust authentication and encryption – specifically, WPA2-Enterprise (802.1X) or WPA2-Personal (PSK) with strong user credentials. Unless the hacker cracks the PSK or knows user passwords, he will not have the crypto keys needed to send correctly-formed DHCP requests containing random MAC addresses.
Unfortunately, this tactic cannot be applied to open or group shared key wireless networks, such as those used to carry guest Internet traffic or commercial Wi-Fi hotspot services. Even in a hotel or office, which changes its guest PSK every day, the fact that every guest uses the same PSK leaves the network vulnerable to DHCP Starvation. Consequences can range from lost productivity for visitors and contractors who depend on the guest WLAN to lost revenue for a commercial hotspot provider.
Deterring DHCP Starvation in hotspots
Simply enlarging a hotspot’s address pool or shortening lease time cannot stop this attack; hackers can easily generate spoofed DHCP requests very quickly.
Rate-limiting the number of DHCP requests accepted from a specific switch port or AP can help. While dropping excess requests can slow a DHCP Starvation attack, this may have unintended side effects such as blocking legitimate users during busy periods. Also, dropping DHCP requests could give an attacker with a phony DHCP server a chance to respond to legitimate client requests, thereby maliciously redirecting traffic.
A more effective method can be to verify that the sending device’s MAC address matches the MAC address carried inside the DHCP request. For example, Ethernet switches may check for this when “DHCP snooping” is enabled. However, clients can still send spoofed DHCP requests that carry the same MAC address in both fields.
Ultimately, network operators should monitor the air for DHCP Starvation attacks. Only by reliably recognizing that an attack is underway can appropriate steps be taken. A Wireless IPS such as AirMagnet Enterprise can combine traffic analysis with spatial awareness to conclude that a hacker’s device is responsible for sending a large volume of spoofed DHCP requests. A WIPS can not only alert administrators to this kind of active DoS attack, but map the hacker’s location to enable physical intervention.