DHCP STARVATION ATTACK
Our scenario involves the provision of IP address from the router as the DHCP server.
Router: 192.168.100.1/24
DHCP client 1: Windows8
DHCP client 2: Windows8
DHCP client 3: Kali Linux
DHCP Pool: 192.168.100.0/24
Objective: Decommission the DHCP server by launching a DHCP starvation attack on the router using a Yersinia tool that will flood discovery message to the DHCP server.
During a network boot-up, the DHCP client will perform the following scenario:
DHCP Clients sends a DISCOVER message to the DHCP Server. DHCP Server checks on its IP pool if there is an available IP address for leasing. If there is, OFFER message will be sent to the DHCP Client coming from the DHCP Server. DHCP Client will make a request on that IP Address by sending a REQUEST message. Upon receive of the REQUEST message from the client, the DHCP server will send an Acknowledgement message (ACK) assigning the IP address to that client.
On this example, The DHCP server will only support 254 IP addresses from the pool created.
Also, let's verify that IP address has been binded to the connected device.
Checking the statistics will also show the DISCOVERY request.
Now, to do starvation attack, a discovery flood has to be launched in order to exhaust the IP address from the DHCP server. Starvation attack will source a unique MAC address for discover message until it reaches the pool limit. When it reaches the limit, the DHCP server can no longer provide IP address to the client.
On you Kali Linux, type in Yersinia -G to go to the GUI. Then go to DHCP tab and hit Launch attack.
After clicking, choose attack window will pop-up. Select sending DISCOVER packet then hit OK.
During the execution, the tool will flood the DHCP server with DISCOVER packet.
To stop the attack, click on the List attacks then click on cancel attack.
To verify, check the statistics on your router.
Check also the binding that was created during the attack.
Note: The binding has exhausted the 254 IP address allocations.
Verify the IP pool.
Doing this attack on a production environment will make the router very slow. So do it with permission from the network administrator.