This project demonstrates a DHCP starvation attack and a corresponding detection mechanism. The attack involves an attacker tool that generates random MAC addresses and floods the DHCP server with a large number of DHCP discover packets, attempting to exhaust the available IP addresses. On the defensive side, the system monitors the network, iterating over specified time intervals to track how many DHCP discover packets are being sent to the DHCP server, allowing for detection of abnormal activity.
- Attacker Tool: Perform DHCP starvation to exhaust the avaliable IP addresses
- Defender Tool: Detect DHCP starvation and alert user.
- DHCP server: Allocates IP addresses to clients and is the target of the DHCP starvation attack
This project runs in a virtual machine environment using Ubuntu, with three VMs set up: a DHCP server, an attacker, and a detector. These VMs communicate with each other by configuring their network settings to use a bridged adapter.
-
Purpose: Provides IP addresses to other VMs (client machines) on same network. It’s the target of the DHCP starvation attack.
-
Setup:
-
Create VM:
- Operating System: Ubuntu (or any Linux distribution)
- Network Adapter: Set the network adapter to Bridged Adapter to allow communication with the other VMs on the same network.
-
Install the DHCP Server Software:
sudo apt install isc-dhcp-server -
Configure the DHCP Server:
sudo nano /etc/dhcp/dhcpd.confAdd the following configuration (you can adjust IP ranges as per your network setup):default-lease-time 600; max-lease-time 7200; Specify the subnet and range for IP addresses subnet 192.168.14.0 netmask 255.255.255.0 { range 192.168.14.100 192.168.14.200; option routers 192.168.14.1; option subnet-mask 255.255.255.0; option domain-name-servers 192.168.1.1; option broadcast-address 192.168.14.255}
-
Assign Network Interfaces:
sudo nano /etc/default/isc-dhcp-serverINTERFACESv4="enp0s3"
-
Start and Enable the DHCP Service:
sudo systemctl enable isc-dhcp-server sudo systemctl start isc-dhcp-server
-
Verify DHCP Server Status:
sudo systemctl status isc-dhcp-server
The output should show that the DHCP server is active (running), indicating that it is functioning correctly and ready to lease IP addresses to clients.
-
Check the IP Leases:
cat /var/lib/dhcp/dhcpd.leases
-
Viewing the MAC and IP from: view real-time DHCP lease information by checking the system logs, as the DHCP server writes lease assignments to the log file
tail -f /var/log/syslog | grep dhcpd
-
-
Purpose: Sends a large number of DHCP discover requests with random MAC addresses to exhaust the available IP address pool from the DHCP server.
-
Required Libraries:
-
Scapy: Scapy is essential for network analysis and packet manipulation because it allows users to create, send, and capture network packets, making it a powerful tool for network testing, security assessments, and protocol analysis.
-
Random: The
randommodule in Python is a built-in library that provides functions for generating random numbers and making random selections from sequences. It is used here to generate a Random MAC address It is a python library so it install with python
sudo apt update sudo apt install python3 python3-pip pip3 install scapy
-
-
Purpose: Monitors the network traffic and tracks the number of DHCP discover packets to detect signs of a DHCP starvation attack and alert the network administrator.
-
Required Libraries:
-
Scapy: Scapy is essential for network analysis and packet manipulation because it allows users to create, send, and capture network packets, making it a powerful tool for network testing, security assessments, and protocol analysis.
-
Time: The
time moduleprovides various time-related functions, allowing you to work with time in different ways, such as: Getting the current time.
sudo apt update sudo apt install python3 python3-pip pip3 install scapy
-
A DHCP starvation attack is a denial-of-service (DoS) attack that targets DHCP servers by flooding them with forged DHCP requests. The attacker uses random MAC addresses to generate these requests, aiming to deplete the pool of available IP addresses. Once all IPs are exhausted, legitimate users are unable to obtain an IP address, resulting in a denial of network service. Detection of such an attack can be done by monitoring the rate of DHCP discover packets over time. An unusually high volume of requests from different MAC addresses within a short period may indicate an ongoing attack.
-
Attack VM: open detect VM and run the following command
sudo /bin/python3 /path_to_file/DHCP_starvation.py -
Detect VM: open attack VM and run the following command
sudo /bin/python3 /path_to_file/detect_dhcp_starvation.py -
DHCP Server VM: open DHCP server VM and run this command By running the command
sudo tail -f /var/log/syslogyou can monitor the DHCP server logs in real-time, allowing you to see when an IP address is assigned to a client or when the DHCP server runs out of available IP addresses to lease. DHCP Log Entry Example:2024-10-10T09:07:37.850642+00:00 DHCPserver dhcpd[1217]: DHCPOFFER on 192.168.14.138 to 02:00:00:f0:01:c6 via enp0s3 2024-10-10T09:07:37.850766+00:00 DHCPserver dhcpd[1217]: DHCPDISCOVER from 02:00:00:10:41:90 via enp0s3: network 192.168.14.0/24: no free leases Explanation: - 2024-10-10T09:07:37.850642+00:00: Timestamp in UTC format. - DHCPserver dhcpd[1217]: Indicates the DHCP server (dhcpd) process ID is 1217. - DHCPOFFER: The DHCP server is offering the IP address 192.168.14.138 to the client with MAC address 02:00:00:f0:01:c6 through the network interface enp0s3. - DHCPDISCOVER: A client with MAC address 02:00:00:10:41:90 is requesting an IP address on the interface enp0s3. - network 192.168.14.0/24: no free leases: The DHCP server has no available IP addresses to assign within the subnet 192.168.14.0/24.