How to destroy a router with DHCP Starvation

Today I’m going to show you something dangerous.

Really dangerous.

I once heard an alarming statistics that something like 90% of US based companies aren’t running port-security.

Why does this matter?

Well, today I’m going to show you how to launch a DHCP starvation attack that will literally bring a Cisco router or switch to it’s knees.

  • I’ll exhaust all the usable IP addresses on the subnet which prevents anyone from using the network
  • I’ll completely disable the management plane so IT admins can’t console or SSH into the beleaguered device
  • I won’t take the next step, but the next logical step would be to insert myself as a rogue DHCP server which would allow me to covertly capture and steal all data on the local subnet.

Yeah, this is bad.  And the sad part is that it can prevented with one little Cisco command.  Unfortunately, most organizations continue to ignore it and that’s why this is dangerous.

Going back to Kali

We’re going to use Kali Linux with Yersinia to launch a DHCP starvation attack on a Cisco router running as a DHCP server.  I strongly suggest that you read my three part series on installing Kali Linux before you get started.  I also suggest you check out the article I wrote on how DHCP works.  Once you’ve got those things under your belt we can focus on committing network fracas.

Let the fracas begin

So I went ahead and setup a DHCP server on my router.  Let’s take a look a few things first.

Let’s look at all the hosts that are currently leasing IP addresses from our server.

sho ip dhcp bind

Show IP DHCP binding

Now on a real network you would see dozens of MAC-to-IP bindings; however, I’ve got this thing going in my lab so the only binding present is the IP address of my Kali Linux machine.

Let’s look at few more things here:

sho ip dhcp server statistics

This is a great command to quickly assess the health of your DHCP router.  The relevant values for us are:

  • Memory Usage
  • DHCPDISCOVER
  • DHCPOFFER

Show IP DHCP server statistics

How Yersinia works

The reason I point out those three values is because the DHCP starvation attack will inundate the router with hundreds of thousands of DHCPOFFER frames which contain unique spoofed MAC addresses.  Yersinia floods the router with more DHCPDISCOVERs than it can handle.  We effecitlye launch a denial of service (DoS) attack against the router.  The server faithfully tries to reply with a DHCPOFFER; however, given the voluminous number of DHCPOFFER frames the entire DHCP scope is exhausted and all useable IP addresses on the subnet will be consumed by fake devices using bogus MAC addresses.

How sinister.

This is actually a cruel attack because it’s so crude and damaging.  It’s so easy to do this.  A DHCP starvation attack is an egregious attack because you don’t even need to know anything about networking to do it.

Before we get started let me show you one more thing:

sho ip dhcp pool

This command shows us the DHCP pool of addresses available for lease.

show ip DHCP poolYou can see the Total addresses attribute is set to 254.  This means all we really need to do is flood the server with one more than the maximum; however, as you’re about to see, I’m about to destroy the server with thousands of frames.

It’s about to get ugly.

Launching the DHCP Starvation Attack

Back in Kali Linux, we’re going to use Yersinia to digitally bomb the router.

Let’s see what we can do here…

Okay the usage line says we can type yersinia -G to launch the program in Graphical mode.  Let’s do that.

Yersinia

When the GUI opens we instantly see a bunch of statistics in the left pane for the Cisco Discovery Protocol (CDP), 802.1Q (Trunking) and a bunch of others.

Click the DHCP tab then choose Launch attack in the upper left corner.

DHCP Starvation in Yersinia

Select sending DISCOVER packet, click OK, and take a nap.  The router will be offline in a few seconds.

DHCP packets in Kali

It’s really that easy to destroy the local subnet.

I mean, look back in the left pane!

It’s only been running for 10 seconds and I’ve already swamped the feeble address space with over 180,000 spoofed DHCP Discover frames!

DHCP starvation working

The poor router can barely keep up.

Let’s see the DHCP bindings again

show ip dhcp bind

DHCP address binding is crazy

Is this nuts or what?

You can see the entire address space is consumed.  Yersinia poured tens of thousands of bogus frames into the server and completely exhausted the DHCP pool.

Now if someone tries to uses the network it will fail.  No one will be able to use browse the internet, access corporate databases or exchange email because there are no unassigned IP addresses to dish out.

Furthermore, the management plane is completely destroyed.  That is, our ability to login and manage the router is gone.

A few seconds later, I tried to type the show ip dhcp bind command but the router was completely locked up.  After a minute, it returned by the database is destroyed.

Neither show ip dhcp bind nor show ip dhcp server stat do anything.  The router is so busy drowning in the packet deluge that it can’t even execute our basic commands to show the memory usage.

DOSd my box

The Bottom Line

switchport mode port-security

Switchport Port Security

Seriously that’s the bottom line.  This one command will instantly limit the maximum number of MAC addresses on a switchport (or range of switchports) to 1.

Think about it.

Yersinia is effective because it sends thousands of fake MAC addresses through a single switchport but why do we ever need to allow more than one MAC address on a switchport?

I can think of a few exceptions:

  • Your IT staff is testing something in a lab.  Perhaps they have multiple virtual machines that need to communicate on the internet through the switchport.  Each VM would have its own MAC address so you might need to lift the 1 MAC address limit for your team.
  • If you have a legacy network connected through a hub you might need to lift the MAC limit to the number of hosts on that collision domain.  So if you have 5 hosts plugged into that hub you might want to change the MAC limit to 5.
  • Or maybe you have computers plugged into VoIP phones and you need to permit the MAC addresses of the workstation and VoIP phones.  You could change the limit to 2.  if you have VoIP in your network this could cause it to go down so you can change it accordingly:
switchport port-security maximum 5

There’s often no tangible reason why a switchport should ever allow more than one MAC address on a swichport.

If someone tried to launch Yersinia on a port-security enabled switch, it would immediately put the port in a secure-shutdown state.  The port would imdiately turn off which protects the switch and alerts you that some buttmunch on your network is trying to take you down.

If you learned something new hit me up in the comments. Don’t let it happen to you.

About

Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , , ,
  • Tommy Lifeson

    How did you access the router, via the WAN, DMZ, WLAN, or LAN?

  • Jeff Jefferson

    Hey Vonnie, why didn’t you use the yersinia command line?