DHCP Request
Operating Systems & Network Security Dr. Carl Pulley [email protected]
Thursday, 5 November 2009
DHCP Dynamic Host Configuration Protocol transport layer protocol UDP packets client port is bootpc/68; server port bootps/ 67 DHCP clients use protocol so that they can operate on an IP network Devices can be added to network with little or no administration Thursday, 5 November 2009
RFC 1541 defines DHCP DHCP is an extension of the BOOTP protocol. As a result, all DHCP packets generated in scapy will have the form: Ether(..)/IP(..)/UDP(..)/BOOTP(..)/DHCP(..)
DHCP DHCP clients send a DHCP discovery when they first join a network DHCP server manages a pool of IP addresses along with options (for example): default gateway address domain name DNS settings Address allocation follows a Discovery, Offer, Requests, Acknowledgement pattern Thursday, 5 November 2009
DHCPDiscover Client sends out broadcasts and attempts to locate a DHCP server if address is still free, might be allocated to client Client can suggest IP address (eg. their last allocated one) they’d like to use authoritative server refuses request. Client immediately asks for a new address ow server ignores request. Timeout by client and request for new address follows Thursday, 5 November 2009
def dhcp_discover(client_mac): return Ether(dst=”ff:ff:ff:ff:ff:ff”)/IP(src="0.0.0.0",dst="255.255.255.255")/UDP (sport=68,dport=67)/BOOTP(chaddr=mac2str(client_mac))/DHCP(options=[("messagetype","discover"),”end”])
DHCPOffer DHCP Offer sent out to client when server receives a request offer contains an IP address that DHCP server has reserved for client Returned offer based on chaddr field (client hardware address) of discovery request yiaddr field (your IP address) of offer contains IP address that server offers
Thursday, 5 November 2009
def dhcp_offer(client_mac, client_ip, server_mac, server_ip): return Ether(dst=client_mac)/IP(dst=client_ip)/UDP(sport="bootps",dport="bootpc")/BOOTP (chaddr=mac2str(server_mac),yiaddr=client_ip)/DHCP(options=[("message-type", "offer"), (“subnet_mask”, “255.255.255.0”), (“renewal_time”, 1800), (“rebinding_time”, 3150), (“lease_time”, 3600), (“server_id”, server_ip), "end"])
DHCPRequest DHCP client can receive requests from multiple servers only one is accepted XID ties requests/responses together (used by client and server) server can infer offer rejection here DHCP Request is broadcasted with server ID client desired configuration parameters Thursday, 5 November 2009
def dhcp_request(client_mac, client_ip, server_ip): return Ether(dst=”ff:ff:ff:ff:ff:ff”)/IP(src=”0.0.0.0”,dst=”255.255.255.255”)/UDP (sport=”bootpc”,dport=”bootps”)/BOOTP(chaddr=mac2str(client_mac))/DHCP(options= [(“message-type”, ”request”), (“client_id”, mac2str(client_mac)), (“requested_addr”, client_ip), (“server_id”, server_ip), ”end”])
DHCPAck DHCP Ack returned to client after server receives a DHCP Request from them Lease duration included with acknowledgement along with offers data yiaddr (client IP address) server ID (server IP address) Expectation is that client will use offers to configure their network settings
Thursday, 5 November 2009
DHCPNAK sent to client if server can’t honour the requested offers. def dhcp_ack(client_mac, client_ip, server_mac, server_ip): return Ether(src=server_mac)/IP(src=server_ip,dst=client_ip)/UDP (sport="bootps",dport="bootpc")/BOOTP(chaddr=mac2str(client_mac),yiaddr=client_ip)/ DHCP(options=[(“message-type”, “ack”), (“subnet_mask”, “255.255.255.0”), (“renewal_time”, 1800), (“rebinding_time”, 3150), (“lease_time”, 3600), (“server_id”, server_ip), “end”])
Address Allocation 4 modes for allocating IP addresses: dynamic: lease address to client automatic: permanent allocation static: MAC address determines allocation manual: client specifies address they wish to use
Thursday, 5 November 2009
Dynamic Allocation DHCP server has a pool of IP addresses it may allocate client requests an IP address server grants an IP address IP address allocation is for a time period (ie. lease) Request-grant process allows expired IP addresses to be reused
Thursday, 5 November 2009
Automatic Allocation Essentially, this is dynamic allocation Except, IP addresses are assigned preferentially ie. if you’ve had the address before, attempts are made to reallocate that address to you
Thursday, 5 November 2009
Static Allocation DHCP server maintains a table of MAC and IP addresses MAC address is used to influence the IP address allocated to a client MAC/IP address table is configured by the network administrator
Thursday, 5 November 2009
DHCPRelease DHCP client can release address at any time during its lease DHCP Release achieves this ipconfig /release (Windows) dhclient -r (*nix) Since client can just unplug from network, DHCP protocol doesn’t insist on such release requests
Thursday, 5 November 2009
On linux, current leases that a DHCP server has assigned can be viewed in /var/lib/dhcpd/ eth0.dhcp.leases. For a DHCP client, the offers from a DHCP server can be found in /var/lib/ dhcp/dhclient.leases.
Rogue DHCP Servers DHCP server that’s not under administrative control of network staff Can use rogue servers for man-in-the-middle (MITM) attacks - see practicals No protection against rogue DHCP servers! IDS and switches can stop these attacks by dropping the packets can detect their presence (see practicals)
Thursday, 5 November 2009
Thursday, 5 November 2009
DHCP Dynamic Host Configuration Protocol transport layer protocol UDP packets client port is bootpc/68; server port bootps/ 67 DHCP clients use protocol so that they can operate on an IP network Devices can be added to network with little or no administration Thursday, 5 November 2009
RFC 1541 defines DHCP DHCP is an extension of the BOOTP protocol. As a result, all DHCP packets generated in scapy will have the form: Ether(..)/IP(..)/UDP(..)/BOOTP(..)/DHCP(..)
DHCP DHCP clients send a DHCP discovery when they first join a network DHCP server manages a pool of IP addresses along with options (for example): default gateway address domain name DNS settings Address allocation follows a Discovery, Offer, Requests, Acknowledgement pattern Thursday, 5 November 2009
DHCPDiscover Client sends out broadcasts and attempts to locate a DHCP server if address is still free, might be allocated to client Client can suggest IP address (eg. their last allocated one) they’d like to use authoritative server refuses request. Client immediately asks for a new address ow server ignores request. Timeout by client and request for new address follows Thursday, 5 November 2009
def dhcp_discover(client_mac): return Ether(dst=”ff:ff:ff:ff:ff:ff”)/IP(src="0.0.0.0",dst="255.255.255.255")/UDP (sport=68,dport=67)/BOOTP(chaddr=mac2str(client_mac))/DHCP(options=[("messagetype","discover"),”end”])
DHCPOffer DHCP Offer sent out to client when server receives a request offer contains an IP address that DHCP server has reserved for client Returned offer based on chaddr field (client hardware address) of discovery request yiaddr field (your IP address) of offer contains IP address that server offers
Thursday, 5 November 2009
def dhcp_offer(client_mac, client_ip, server_mac, server_ip): return Ether(dst=client_mac)/IP(dst=client_ip)/UDP(sport="bootps",dport="bootpc")/BOOTP (chaddr=mac2str(server_mac),yiaddr=client_ip)/DHCP(options=[("message-type", "offer"), (“subnet_mask”, “255.255.255.0”), (“renewal_time”, 1800), (“rebinding_time”, 3150), (“lease_time”, 3600), (“server_id”, server_ip), "end"])
DHCPRequest DHCP client can receive requests from multiple servers only one is accepted XID ties requests/responses together (used by client and server) server can infer offer rejection here DHCP Request is broadcasted with server ID client desired configuration parameters Thursday, 5 November 2009
def dhcp_request(client_mac, client_ip, server_ip): return Ether(dst=”ff:ff:ff:ff:ff:ff”)/IP(src=”0.0.0.0”,dst=”255.255.255.255”)/UDP (sport=”bootpc”,dport=”bootps”)/BOOTP(chaddr=mac2str(client_mac))/DHCP(options= [(“message-type”, ”request”), (“client_id”, mac2str(client_mac)), (“requested_addr”, client_ip), (“server_id”, server_ip), ”end”])
DHCPAck DHCP Ack returned to client after server receives a DHCP Request from them Lease duration included with acknowledgement along with offers data yiaddr (client IP address) server ID (server IP address) Expectation is that client will use offers to configure their network settings
Thursday, 5 November 2009
DHCPNAK sent to client if server can’t honour the requested offers. def dhcp_ack(client_mac, client_ip, server_mac, server_ip): return Ether(src=server_mac)/IP(src=server_ip,dst=client_ip)/UDP (sport="bootps",dport="bootpc")/BOOTP(chaddr=mac2str(client_mac),yiaddr=client_ip)/ DHCP(options=[(“message-type”, “ack”), (“subnet_mask”, “255.255.255.0”), (“renewal_time”, 1800), (“rebinding_time”, 3150), (“lease_time”, 3600), (“server_id”, server_ip), “end”])
Address Allocation 4 modes for allocating IP addresses: dynamic: lease address to client automatic: permanent allocation static: MAC address determines allocation manual: client specifies address they wish to use
Thursday, 5 November 2009
Dynamic Allocation DHCP server has a pool of IP addresses it may allocate client requests an IP address server grants an IP address IP address allocation is for a time period (ie. lease) Request-grant process allows expired IP addresses to be reused
Thursday, 5 November 2009
Automatic Allocation Essentially, this is dynamic allocation Except, IP addresses are assigned preferentially ie. if you’ve had the address before, attempts are made to reallocate that address to you
Thursday, 5 November 2009
Static Allocation DHCP server maintains a table of MAC and IP addresses MAC address is used to influence the IP address allocated to a client MAC/IP address table is configured by the network administrator
Thursday, 5 November 2009
DHCPRelease DHCP client can release address at any time during its lease DHCP Release achieves this ipconfig /release (Windows) dhclient -r (*nix) Since client can just unplug from network, DHCP protocol doesn’t insist on such release requests
Thursday, 5 November 2009
On linux, current leases that a DHCP server has assigned can be viewed in /var/lib/dhcpd/ eth0.dhcp.leases. For a DHCP client, the offers from a DHCP server can be found in /var/lib/ dhcp/dhclient.leases.
Rogue DHCP Servers DHCP server that’s not under administrative control of network staff Can use rogue servers for man-in-the-middle (MITM) attacks - see practicals No protection against rogue DHCP servers! IDS and switches can stop these attacks by dropping the packets can detect their presence (see practicals)
Thursday, 5 November 2009
