News: This forum is now permanently frozen.
Pages: [1]
Topic: Can DHCP Server run out of leases ?  (Read 7800 times)
« on: April 02, 2009, 08:07:01 »
Max2950 ***
Posts: 120

Hi Folks !

Hi have setup a m0n0 box in a hotel with three interfaces : LAN, WAN and OP1.
OPT1 is connected to a wireless AP (i.e.: wireless is not handled by m0n0) and used along with the captive portal to provide internet acces to the hotels customers. The wirless AP is totally open, neither WEP or WPA is set up, thus ensuring maximum compatibility with heterogeneous customer hardware.
DHCP is set up on OPT1 to provide a range of 254 adresses, this is plenty enough if all of the customers have one PC.
Let's see a typical scenario :
1 - customer connects to wireless AP
2 - He gets an IP from DHCP
3 - He tries to surf to google.com
4 - he is stopped at the captive portal where he is prompted to entera user name and password (normally delivered by the hotel employee)
5 - He can surf

Now what would happen if a person with bad intentions would come and flood the wireless conenction actually m0n0 OPT1 interface) with DHCP requests (each request with a different MAC address) until all tha configured range is taken ?
If someone tries to get an IP will m0n0 deny the DHCP request or look up all the leases to see if the hosts are still alive if it find a dead host revoke it's lease and give it to the new host...

Thank you for reading !
« Reply #1 on: April 02, 2009, 15:38:32 »
knightmb ****
Posts: 341

Technically yes, but realistically it might not happen.  If you are really worried about this, set your DHCP renewal time to about 254 seconds, as that will send the fake address on a rotating spiral out. So whoever does this would have to keep it constantly, which should give you time to find them.

DHCP uses broadcast that can't have collisions, so the most they can do is about 1 IP address per second, so a 254 second expire time would have them expire about as fast as they could technically fill it up range.

It will also cause some traffic increase for the wireless since all the clients will be broadcasting renewals every 4 minutes, but it should be random enough not to kill everyone's bandwidth.

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #2 on: April 02, 2009, 21:45:21 »
Max2950 ***
Posts: 120

Hi,

Tanks for your reply !

Actually the maximum number of connected clients at the same time is 20 to 30.... But wouldn't the clients connection being interrupted by the DHCP renewal ?
« Reply #3 on: April 03, 2009, 14:45:40 »
knightmb ****
Posts: 341

Hi,

Tanks for your reply !

Actually the maximum number of connected clients at the same time is 20 to 30.... But wouldn't the clients connection being interrupted by the DHCP renewal ?
By connected, I meant using the broadcast to talk to the DHCP server to get an IP address. It can only talk to one client at *exactly* the same time, so that wiggle room might help other clients.

I can't say I've ever seen this kind of attack, but while it's technically possible, I don't know how well the attack would work given how DHCP is designed to function.  If you have any scripts to test it with, that will give you the best answer.

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #4 on: April 03, 2009, 14:50:14 »
Max2950 ***
Posts: 120

I have an utility allowing to spoof any MacAddress. But changing the mac adrees takes approx. 5 seconds, so i think this kind of attack is very unlikely to happen indeed...
« Reply #5 on: April 03, 2009, 19:46:10 »
knightmb ****
Posts: 341

I have an utility allowing to spoof any MacAddress. But changing the mac adrees takes approx. 5 seconds, so i think this kind of attack is very unlikely to happen indeed...
I suspected that because changing what the MAC of the network card uses never was lighting quick for me either. If it were able to change it many ties per second and capture IP address, then the attack would be valid.  You also have the state tables to deal with. If something is always changing MAC, the tables aren't updated dynamically quick enough by most routers/hardware to really make the attack useful. Basically, the MAC would change so fast that it would be ignored most of the time until the hardware catches up. But still, technically even 5 seconds apart will eventually fill up the number allocated. So if you had 254 address and it was wasting one every 5 seconds, it could fill up all the IP in about 22 minutes.  If you have only a few minutes lease times on the IP, they would technically start expiring about a 1/4 of the way into the attack. The attacker would literally get stuck in a circle because as one address expires, the attacker would then get the same address it got a few minutes ago.

It would still waste IP address and cause some issues, but at least it won't take down all the IPs at once.
« Last Edit: April 03, 2009, 19:48:18 by knightmb »

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #6 on: April 04, 2009, 08:35:10 »
Max2950 ***
Posts: 120

Yep that's true, the IP range could be filled within 22 minutes...

I could also increase the DHCP range...

But what happens when a legitimate client gets it's IP renewed every 10minutes ? Will it lose all its connections ? My goal is to achieve maximum compatibility to keep the customers stisfied ! Wink
« Reply #7 on: April 04, 2009, 14:38:54 »
knightmb ****
Posts: 341

Yep that's true, the IP range could be filled within 22 minutes...

I could also increase the DHCP range...

But what happens when a legitimate client gets it's IP renewed every 10minutes ? Will it lose all its connections ? My goal is to achieve maximum compatibility to keep the customers stisfied ! Wink
Well, once it gets an IP, it will keep it.  The DHCP server will know that a certain MAC is set for an IP and the renewal is basically a wink from DHCP that it can keep using the same IP. Clients will try to renew for the same IP that they already have. It's rare that DHCP will tell a renewing client to take another IP instead. It can happen of course if your IP lease expired and you try to renew the new day. But renewing the next few minutes wouldn't be a problem.

The only problem I can see would be a MAC collision where the attacker's random MAC was the same as one of the clients for some reason. That would get messy.

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #8 on: April 05, 2009, 18:41:09 »
Max2950 ***
Posts: 120

The only problem I can see would be a MAC collision where the attacker's random MAC was the same as one of the clients for some reason. That would get messy.

That's an other point, since the wireless AP is left totally open one could easily snif and spoof any of the legitimate mac address... Thus will allow the attacker to bypass all the captive portal... Roll Eyes
« Reply #9 on: April 06, 2009, 02:44:27 »
knightmb ****
Posts: 341

The only problem I can see would be a MAC collision where the attacker's random MAC was the same as one of the clients for some reason. That would get messy.

That's an other point, since the wireless AP is left totally open one could easily snif and spoof any of the legitimate mac address... Thus will allow the attacker to bypass all the captive portal... Roll Eyes
That's what I thought too, I've tried that myself and it never worked right. The problem was that the IP and MAC had to match and when you do that, the AP tends to basically ignore them until the problem is sorted out with each one being unique. So my victim machine and attack machine basically both couldn't get through until one of them was no longer part of the network. So technically it would be a waiting game until said person shutdown their computer (being frustrated from no Internet for example), and then the other sneaks in. The only issue is, if the other guy powers back up, he's end up getting a different IP and depending on your captive portal settings, as soon as he/she logs in it would cut off the other fake user.

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #10 on: April 06, 2009, 18:33:15 »
Max2950 ***
Posts: 120

I never tried to spoof mac adresses on tha AP, but i think the way Mac spoofing is handled depends on the AP itself. But since many AP are linux based i guess they will behave similar.

. The only issue is, if the other guy powers back up, he's end up getting a different IP and depending on your captive portal settings, as soon as he/she logs in it would cut off the other fake user.

You pointed out an other issue i had with thei instalation. Sometimes there are groups of 15 to 20 personns staying at the hotel, the employee at the reception desk always gives the same username and password to each person in the group. Of course when i first configured the m0n0 box i had checked the option to "Disable Concurrent Login", the hotel owner called me the day after "Customers are complaining, they get back to the portal on every page load"  Roll Eyes So now this option is turned of....

As a first shot i will increase the DHCP range and reduce lease time....

BTW handling with public wireless is not that easy  Wink

Edit :
I finally ended up in keeping the 24hours DHCP lease and increased the available IP range up to 65534 (subnet mask 255.255.0.0) (I'm using class A IP), if an attacker wants to fill all the DHCP range it should take about 91 hours !
« Last Edit: April 06, 2009, 19:08:58 by Max2950 »
« Reply #11 on: April 06, 2009, 19:24:00 »
knightmb ****
Posts: 341

Edit :
I finally ended up in keeping the 24hours DHCP lease and increased the available IP range up to 65534 (subnet mask 255.255.0.0) (I'm using class A IP), if an attacker wants to fill all the DHCP range it should take about 91 hours !
Haha, when in doubt, overwhelm the attacker.  I've never seen what happens when you put that many leases in m0n0wall. I know there is a limit somewhere based on the how big the RAM disk was, but you'll have to search around to find out how many was causing problems for others.

Hopefully, these kind of sneaky attackers won't be a big issue for you. Best of luck!

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #12 on: April 06, 2009, 20:14:28 »
Max2950 ***
Posts: 120

Yes let's see what happens ! Grin

A DHCP record should take 4 bytes for IP, 6 bytes for macadress, 4 bytes for lease start and 4 bytes for lease end (this is pure assumption if someone knows it exactly let me know) so that is 18 bytes for each lease. So all the lese represent about 1.12MB, so now i have to find out how big the ram disk is !
« Reply #13 on: August 28, 2009, 20:44:46 »
dbogdan@lumc.edu *
Posts: 14

Yes this can happen.  I have a dhcp server setup with a 255.255.248.0 (7 subnets) that got filled up one day.  A user, using a bittorrent download program, altered the mac address, then requested a new IP for the entire range.  Clogged up the dhcp server in a matter of minutes.  It was a nightmare to find this guy, but we eventually did.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines