>> If a DHCP server has a finite amount of host addresses to lease to clients,what happens when that number is reached, and a new client sends a DHCP discover broadcast?That client is out of luck.The server has no more addresses to give out.Normally the way IP networks are designed and provisioned, this shouldn't be an issue.Enter the hacker who sends an overwhelming amount of DHCP discoverswith random spoofed mac addresses.The DORA process will complete for all of those spoofed mac addresses,and the DHCP server will be fresh out of IP addresses to lease to legitimate clients.That's a denial of service attack.This is known as a DHCP starvation attack,because there's no more IP addresses for clients to eat.Tools like Gobbler, Yersinia, and Metasploit automate DHCP starvation attacks.Besides a denial of service attack, a DHCP starvation attack can be usedin tandem with a rogue DHCP server.Deplete the corporate DHCP server's IP address pool, and clients will have no choice now,but to accept the rogue server's parameters.To mitigate this attack, when a tool like Gobbler,which uses different source mac addresses for each DHCP discover is used.Well, that's port security.Yes, the same port security we talked about as a mitigation techniquefor CAM overflow attacks on Layer 2 switches.However, if the attack uses the same mac address in the ethernet frame,and simply changes the mac address in the DHCP payload, port security won't help,because as far as the switch goes,it's one source mac address sending traffic into the port.What will help in this case?DHCP snooping again, which will be configured to verify that the source mac addressand the frame matches the mac address in the DHCP payload.
转载于:https://www.cnblogs.com/sec875/articles/10028792.html
