DHCP starvation

DHCP starvation is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously, exhausting the DHCP server IP pool. This test checks that a customer can only obtain a limited number of IPv4 addresses, so that DHCP starvation is prevented. Malicious takes the allowed number of addresses, then verifies that it cannot get one more.

The test will not detect if an old address is released.

A DHCP server is required for the DHCP starvation test.

Impact: DoS

Test process

  • Malicious takes the allowed number of IPv4 addresses.
  • Malicious then sends another DHCP request.

Fail criteria

  • Malicious cannot obtain the allowed number of IPv4 addresses.
  • Malicious can obtain more than the allowed number of IPv4 addresses.

References

This test conforms to SEC Access Certification ID "SEC-V4-DHCPSTARV-1" and to SAVI RFC 6959 section 3.1.2.

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • ISP: A central node on a trusted port.
  • Max addresses: The maximum number of IPv4 addresses a customer is allowed to hold. Default: 3.
Have more questions? Submit a request

Comments

Powered by Zendesk