Rogue DHCP
The Dynamic Host Configuration Protocol (DHCP) provides IP addressing autoconfiguration to hosts.
- if Windows client fails to obtain DHCP lease, it defaults to APIPA address
- range:
169.254.0.0/16 - limited to communication with other APIPA hosts on same subnet
- range:
- if Linux hosts fail to obtain DHCP lease,
- will use
169.254.0.0/16range if has Zeroconf support - leave IP address set to
0.0.0.0 - or disable the IPv4 interface
- will use
Info
- APIPA is Microsoft terminology
- Standards documentation refers to this address range as IPv4 link local (IPV4LL)
- Zeroconf is a standards-based approach to technologies that allows hosts to
- obtain a usable network configuration
- discover services automatically without the use of DHCP or DNS servers
- clients have no means of preferring a DHCP server
- if two DHCP servers are running on same subnet, clients could get incorrect IP config from a rogue DHCP
- may be deployed accidentally or be used by a malicious threat actor
- threat actor would use a rogue server to change the default gateway and/or DNS resolver addresses for the subnet to route comms to their machine
- means of using DHCP to facilitate an on-path attack
- if two DHCP servers are running on same subnet, clients could get incorrect IP config from a rogue DHCP
DHCP starvation attack uses bogus request to use up leases in a legitimate DHCP server’s address pool.
- exhausted scope means legit hosts cannot obtain a lease
- might be used as:
- a DoS mechanism
- or to force legitimate hosts to obtain a lease from a rogue DHCP server