How to Secure a Network from DHCP Attacks
In the modern cyber world, where hackers and cyber criminals awaits in the dark for the right time to attack, organizations have no choice but to patch the cracks in their IP standards to remain impenetrable. Acknowledging the reality, many organizations implement a comprehensive security policy encompassing almost all the layers of OSI (Open System Interconnection) model from application layer to IP security, but one area that is often left untouched is DHCP. The Data Link layer and DHCP (Dynamic Host Configuration Protocol), if not secured well can expose the network to a variety of attacks and compromises; eventually becoming a prey to anarchy.
The DHCP ingredient
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol or a set of rules that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information to use a network resource. It allows hosts to obtain the TCP (Transmission Control Protocol)/IP configuration information from a DHCP server while helping the admin from the burden of manual allocation. All windows based clients including the Windows server editions generally comes with an integrated DHCP client as part of TCP/IP.
While in the cyber world, to access the network resources, every device on the TCP/IP based network must possess a unique unicast IP address. Any deice that are moved from subnets has to be reconfigured or the removed IP has to be reclaimed to gain access to the network and its resources. This is where DHCP plays the major role by automatically allocating and configuring the host and offering centralized management. The DHCP server preserves a list of IP addresses and leases the IP to any requesting client, which is DHCP enabled. As the IP addresses are not static, addresses no longer in use are automatically returned to the pool for reallocation for new clients.
The DHCP server also stores the configuration information in a database that includes:
• Valid TCP/IP configuration parameters for all the clients within the network.
• Valid IP addresses, maintained in the list for assignment to clients and the excluded addresses.
• Reserved IP addresses associated with particular DHCP clients.
• The lease duration that is the length of time for which the IP address can be used before a lease renewal is required.
Benefits of DHCP
The DHCP service in Windows server editions not only reduces network administration challenges, but also centralizes the TCP/IP configurations. It minimizes configuration errors like topological errors or address conflicts raised by allocating an IP to multiple devices. DHCP server services has the ability to assign a full range of TCP/IP configuration values and also to handle IP address changes for clients that has to be frequently updated. It also manages the forwarding of initial DHCP messages by using a relay agent, which eliminates the need for a DHCP server on every subnet.
DHCP Attacks and Security
It is important to tag best practices for security while using the DHCP servers on your organizations network. Since DHCP is a protocol that do not need an authentication from the client, any user within or outside the network can obtain a lease of IP. This can reveal the data like DNS server IP or server data to the unauthorized user, compromising the network’s security. Malicious users with physical access to the DHCP-enabled network can instigate a denial-of-service attack on DHCP servers by flooding the server with lease requests, thereby depleting the number of leases that are available to other DHCP clients.
Another generally used attack on DHCP is the DHCP starvation attack, where the hacker can exhaust the address space available to the DHCP servers for a particular time-period. This type of attack is carried out by broadcasting DHCP requests with spoofed MAC addresses. DHCP snooping, the DHCP security feature that provides network security by filtering un-trusted DHCP messages and by creating and maintaining a DHCP snooping binding database, is also exploited by hackers to gain access.
A DHCP server setup on a network by a hacker called Rogue DHCP server, can lead to Man in the Middle, Sniffing, and Reconnaissance attacks. By placing a rogue DHCP server on the network, an attacker can supply the clients with fake addresses and other network information to snoop into the data packets. Because DHCP responses usually include default gateway and Domain Name System (DNS) server information, network attackers can provide their own system as the default gateway and DNS server resulting in a man-in-the-middle attack that can be further used to forge network resources. Also, if the attacker designates its own Rogue DNS Server(s), they may design phishing websites to obtain other confidential information, such as credit card details and passwords.
Maintaining a proper physical security protocols for the hardware components like the server, switches and routers can limit unauthorized access into the server system. Restricting wireless access for illicit individuals inside or outside the system by maintaining the user access policies can also anneal security perimeter.
Audit logging for every DHCP server on the network should be enabled along with keeping a tab on log files. These log files can ensure safety at times when the DHCP server receives an unusually high number of lease requests from the clients. An audit log file contains the information that you need to track the source of any attacks that were made against the DHCP server. The system event log can be analyzed for explanatory information about the DHCP Server service as well. While in cases where the clients are running the Microsoft OS with 802.1 enabled switches, an authentication occurs before the DHCP server to assign a lease, offering better security. In addition, the administrative access to DHCP should be restricted to a limited number of individuals. Only a member of the Administrators group or the DHCP Administrators group should be allowed to administer DHCP servers using the DHCP console or the Netsh commands for DHCP. Make sure that the category of users who need read-only access to the DHCP console are added to the DHCP Users group instead of to the DHCP Administrators group.
Even though nothing is completely secure in the cyber world, few safety measures that can be included in the security policy can save your organization to a greater extent from cyber threats.
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power