DHCDROP(8)DHCDROP(8)NAMEdhcdrop - program for searching and suppress false DHCP servers in Eth‐
ernet.
SYNOPSISdhcdrop [ -h ] [ -D ] [ -t ] [ -y ] [ -r ] [ -b ] [ -a ] [ -A ] [ -f ]
[ -R ] [ -q ]
[ -m count ] [ -c count ] [ -n hostname ] [ -N clientname ] [ -p port ]
[ -P port ] [ -w seconds ]
[ -T timeout ] [ -M max-hosts-scan ] [ -l MAC-address ] [ -L network ]
[ -S network/mask ] [ -F from-IP ]
[ -s server-IP ] [ -C children count (2 - 32) ]
[ initial-MAC-address ] < -i interface-name|interface-index >
DESCRIPTION
Suppressing DHCP server is made by dhcdrop with a help of an attack
DHCP starvation or with a help of flooding with DHCPDISCOVER messages.
Look for details below. Besides dhcdrop can be used as a diagnostical
tool and stress-testing when setting and developing DHCP servers
OPTIONS-h prints help-message and also codes of program's return.
-D list of available network interfaces. Format - index:name.
-t test mode. Using this mode dhcdrop does not execute suppression
of server. DHCPDISCOVER is being sent. If the answer comes to
it from the non-ignored server then the program is completes
returning code 200 and printing the string:
DHCP SRV: 10.7.7.1 (IP-hdr: 10.7.7.1) SRV ether:
00:02:44:75:77:E4, YIP: 10.7.7.205
which consists of the MAC address of found false DHCP server.
-y answer 'yes' to all questions.
-r disable ethernet address randomize. Every further source MAC
address differs from previous for 1.
-b points on necessity of using flag BROADCAST in DHCP packets
sent.
-a always wait for server's response to default DHCP client port
(68) even if a number of client's port set differs from default
value.
-A always wait for server's response from default DHCP server port
(67), even if a number of client's port set differs from default
value.
-f flood mode with DHCPDISCOVER requests. SHOULD BE USED ATTEN‐
TIVELY. It is convenient for stress-testing of the server. In
case of using option -r all the packets sent have the same MAC
address.
-R send DHCPRELEASE from source MAC address specified by <initial
MAC address> and IP address specified by option -F to server
specified by option -s
-q quiet mode.
-m count
maximum number of attempts to receive answer from DHCP server.
(default: 5).
-c count
maximum number of receiving addresses from DHCP server (default:
255).
-n hostname
value of DHCP-option 'HostName' (default: 'DHCP-dropper').
-N clientname
value of DHCP-option 'Vendor-Class' (default: 'DHCP-dropper').
-p port
set client port value (default: 68).
-P port
set server port value (default: 67).
-w seconds
set timeout after which the process will be restarted when using
agressive mode (see option -L ) (default: 60 secs).
-T timeout
set timeout of waiting server response in seconds (default: 3).
-M maximum-hosts
maximum number of hosts scanned if agressive mode used (option
-L).
-l MAC-address
ethernet address of DHCP server which need to ignore. May be
several servers. Need option -l for each server.
-L legal-network
specify legal network(s) on interfase. May be several networks.
If this parameter is set, dhcdrop uses agressive mode: it scans
address range assigned by DHCP server for searching hosts with
incorrect addresses, sends DHCPRELEASE to server from every
found host after this it restarts process of receiving addreses.
Need option -L for each network.
-S network/mask
ARP-scan for network 'network' with network mask 'mask' (CIDR
notation). Source IP address for scanning specified by option
-F If source IP is not set - using random IP address from net‐
work address range.
-F source-ip
source IP for scanning network or sending DHCPRELEASE (see
option -S and -R ).
-s server-ip-adress
specify DHCP server IP address. Used with option -R
-C count
children number (default: 0, minimal value: 2, maximum: 32).
Compatible only with flag -f
initial-MAC-address
specify source MAC address for sending first DHCP message. If
address not set - used random value.
-i interface
defines network interface, can be name or index (cannot be
'any'). For listing available interfaces use option -D
THEORETICAL BASICS
In DHCP protocol there is an option which specifies duration of leasing
an IP address (Lease Time). During this time DHCP server gives IP
address for client's use. After this time period a client have to make
an attempt to refresh IP address for the purpose of extension the
lease. For the server giving out IP address in lease means that during
the lease this IP address can be given only to an owner of the lease
and nobody else. Identification of clients is usually done by the
server on the ground of MAC address. Usually every server has a pool of
dynamic IP addresses. These are addresses which are not assigned to
concrete MAC addresses and are given dynamically after any client's
request. Pool on SOHO routers with default settings is not very big -
from tens to about 200 addresses. In case of using software which per‐
forms the function of DHCP server the size of the pool is defined by
the one who sets. If the pool of addresses is over then DHCP server
ignores the requests from new clients (probably documenting this in
logs). Actually it's not in action.
Thereby in case of appearance false DHCP they can be supressed rather
easy. It's necessary to receive lease for every IP address available
on this server sending requests from unique clients every time. The
more Lease Time is in server settings, the bigger period of DHCP server
suppression in case of exhaustion of dynamical pool is. For most of
SOHO routers Lease time comes to a number of days or even weeks. In
case of using WinGate, dhcpd and other similar soft as DHCP server the
lease time depends on the fantasy of the man who launched false DHCP
server.
PRINCIPLE OF DHCDROP OPERATION
The program opens the interface specified in command line options using
promiscuous mode then forms DHCP message (DHCPDISCOVER) using random
source MAC address (if another conduct isn't specified) and sends it to
the interface:
01:58:04.681600 00:70:de:3b:b9:05 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
length 342: (tos 0x10, ttl 64, id 33964, offset 0, flags [none],
proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:70:de:3b:b9:05,
length 300, xid 0xcc1cfc5c, Flags [none]
Client-Ethernet-Address 00:70:de:3b:b9:05
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 3:
Domain-Name-Server, Default-Gateway, Subnet-Mask
Hostname Option 12, length 12: "DHCP-dropper"
Vendor-Class Option 60, length 12: "DHCP-dropper"
Client-ID Option 61, length 7: ether 00:70:de:3b:b9:05
After this it starts to wait for server's answer (DHCPOFFER). If the
answer with offering IP address lease is received then the next DHCP
message (DHCPREQUEST) is send to the interface. On this message server
answers with DHCPACK-packet which confirms the possibility of using the
IP address by a client. This completes the operation of receiving IP
address suggested by the server. The program changes source MAC
address and sends DHCPDISCOVER again. After that all the above opera‐
tions of receiving the lease of a new IP address are repeated. It's
worth paying attention that the program changes not only the client's
MAC address in DHCP message but also the MAC address in the header of
Ethernet-frame. This possibility brings the work of the program maxi‐
mally nearer to the work of real DHCP client (and also allows to avoid
DHCP snooping).
Cycle of receiving IP addresses from server comes to an end when the
maximum number of IP addresses set by the option is received or in case
of exhausting dynamical pool of the server. In the second case you
gained a victory. In the first case if you have an aim to reject the
DHCP server then there is a point to set another value of maximum num‐
ber of leased address option.
USAGE OF THE PROGRAM
Interfaces listing
First of all it's necessary to understand how the network interface,
where there is DHCP server, is called. This is easy to understand in
UNIX-like OS by outputting ifconfig command. But in Windows OS it is
not so evident. Because of this let's launch the program with -D
option first of all:
C:>dhcdrop -D
Available interfaces:
1:\Device\NPF_GenericDialupAdapter
descr: Adapter for generic dialup and VPN capture
2:\Device\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF}
descr: ZyXEL GN650 1000Base-T Adapter (Microsoft's Packet Scheduler)
iaddr: 192.168.1.2/24 bcast: 255.255.255.255
iaddr: 10.7.7.7/24 bcast: 255.255.255.255
According to the output information it's evident that we need the sec‐
ond interface. As an argument for program's option -i any index of the
second interface or its name
\Device\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF} can be set. To my
mind it's more easy to use index and to launch the program with point‐
ing index instead of a name. For example: dhcdrop-i 2
Interactive mode, by default
The easiest way of using the program for searching and choosing the
rejected server manually:
$ sudo dhcdrop-i eth1
Using interface: 'eth1'
Got response from server 10.7.7.1 (IP-header 10.7.7.1), server ethernet address: 00:02:44:75:77:E4, lease time: 1.1h (3960s)
Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 10.7.7.201/24
Drop him? [y/n] n
Searching next server...
Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
Drop him? [y/n] y
1. Got BOOTREPLY (DHCPACK) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
2. Got BOOTREPLY (DHCPACK) for client ether: 00:A2:FA:12:41:F7 You IP: 192.168.1.3/24
3. Got BOOTREPLY (DHCPACK) for client ether: 00:56:EA:F8:1C:B0 You IP: 192.168.1.4/24
4. Got BOOTREPLY (DHCPACK) for client ether: 00:EA:91:1A:C8:A8 You IP: 192.168.1.5/24
5. Got BOOTREPLY (DHCPACK) for client ether: 00:83:8A:25:C7:1C You IP: 192.168.1.6/24
6. Got BOOTREPLY (DHCPACK) for client ether: 00:CA:A7:FF:C1:70 You IP: 192.168.1.7/24
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Finished.
As it's seen from the example when receiving an answer from DHCP server
dhcdrop reports information from the server about given IP address and
asks of necessity to suppress this server. Receiving a negative answer
it goes on searching for servers in the network ignoring the server
discovered before. In case of receiving a positive answer it starts a
process for rejecting the server with a method shown above.
Automatical suppresion mode of all the servers except the legitimate
one
In case of knowing (and usually we know) MAC address of the legal DHCP
server in our network the operation of suppressing illegal servers can
be simplified:
$ sudo dhcdrop-i eth1 -y -l 00:02:44:75:77:E4
Using interface: 'eth1'
Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
Got BOOTREPLY (DHCPOFFER) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
1. Got BOOTREPLY (DHCPACK) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
2. Got BOOTREPLY (DHCPACK) for client ether: 00:94:26:88:33:BD You IP: 192.168.1.3/24
3. Got BOOTREPLY (DHCPACK) for client ether: 00:E5:AC:7B:79:BB You IP: 192.168.1.4/24
<skipped>
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Finished.
In this version of using dhcdrop rejects any server except that ones
states with -l option without asking additional questions (due to using
option -y ).
Test mode
Test mode ( -t ) is comfortable to use for execution the program from
code in computer-aided mode. An example of the simplest code is below:
00 #!/bin/bash
01 LEGAL_SERVER="00:11:22:33:44:55"
02 DROPPER="/usr/sbin/dhcdrop"
03 IFNAME="eth1"
04 $DROPPER -i $IFNAME -t -l $LEGAL_SERVER -m 3
05 if [ $? = 200 ]
06 then
07 echo Illegal server found Dropping him
08 $DROPPER -i eth1 -l $LEGAL_SERVER -y
09 else
10 echo Illegal server not found.
11 fi
In the forth line launching of dhcdrop is being executed in a test mode
with setting an option of legal DHCP server for the network ( -l ), an
option of testing ( -t ) and an option of setting maximum number of
attempts of sending DHCPDISCOVER in mode of searching the server ( -m).
If there is no answer for all the requests been sent then the program
ends with 0 code. If there is answer for the server without -l option
then the program ends with 200 code which leads to the further launch‐
ing of the program with options describing suppression of any DHCP
server in the network except the legal one.
Usage of aggressive mode for receiving addresses
As you can guess from the description of DHCP protocol - if a client
received the configuration from illegal DHCP server then the server
wouldn't give this configuration iteratively to another client until
the period of lease expires. So a simple exhaustion of IP addresses'
pool won't save clients who have already received incorrect configura‐
tion. The server will give these addresses only to the clients who
requested them initially and will ignore requests from dhcdrop informa‐
tion from illegal DHCP server again and it would be continued until
illegal DHCP server switched off. For solving such a problem there were
added the aggressive mode of receiving IP addresses in dhcdrop starting
with version 0.5. It is activated with -L option which points a legit‐
imate IP subnet for the given Etherner segment of the network. Here is
the algorithm of its operation: dhcdrop launches an ordinary mode of
suppression and exhausts the whole IP addresses' pool of illegal DHCP
server. Analyzes the first DHCPOFFER received from illegal DHCP, with a
help of the network mask and client's IP address given out by the
server receives the address of IP network attended by this server.
Launches ARP-scanning of received subnet for the purpose of exposing
hosts which received incorrect configurational information, default
number of scanned hosts is limited to 512 (can be changed with -M
option), some servers gives out configurational set with a mask /8
which conforms to approximately 16 million of hosts - scanning of such
an address range will take a lot of time. Sends messages DHCPRELEASE to
the DHCP server from every found host (except the server itself). Waits
60 seconds (default value can be changed with -w option), after then
restarts the process of receiving IP addresses. As an example let's
launch dhcdrop with the same options as in the previous example but
additionally state legal IP network 10.7.7.0:
$ sudo dhcdrop-i eth1 -y -l 00:02:44:75:77:E4 -L 10.7.7.0
Using interface: 'eth1'
Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
Got BOOTREPLY (DHCPOFFER) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
2. Got BOOTREPLY (DHCPACK) for client ether: 00:FB:E7:A4:19:EC You IP: 192.168.1.6/24
3. Got BOOTREPLY (DHCPACK) for client ether: 00:CB:44:F9:A8:6F You IP: 192.168.1.7/24
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Trying to use agressive mode.
Starting ARP scanning network in range: 192.168.1.0 - 192.168.1.255...
Illegal DHCP server perhaps assigned IP adresses to the following hosts:
1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1) - itself DHCP server.
2. Received ARP-reply from: 00:03:ff:15:52:90 (192.168.1.3)
3. Received ARP-reply from: 00:03:ff:14:52:90 (192.168.1.4)
4. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200)
Sending DHCPRELEASE for invalid clients:
Send DHCPRELEASE for host 00:03:ff:15:52:90 (192.168.1.3).
Send DHCPRELEASE for host 00:03:ff:14:52:90 (192.168.1.4).
Send DHCPRELEASE for host 00:a0:c5:30:52:90 (192.168.1.200).
Restart dropping DHCP server after 60 seconds timeout...
1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
2. Got BOOTREPLY (DHCPACK) for client ether: 00:F1:32:14:60:A3 You IP: 192.168.1.3/24
3. Got BOOTREPLY (DHCPACK) for client ether: 00:2D:1C:80:ED:12 You IP: 192.168.1.4/24
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
WARNING: Failed to take away all the IP addresses assigned by DHCP server.
Perhaps DHCP server checks availability of IP addresses by sending ARP-request
before assigning them. Try to restart dhcpdrop later. If it doesn't help
try to disconnect problem hosts temporarily, then send manually DHCPRELEASE
from address of this hosts (use option -R) and restart dhcdrop.
Finished.
Explanation of the program operation's results.
After outputting the inscription "Trying to use aggressive mode" ARP-
scanning of subnet, serviced by illegal DHCP server in the stated
range, starts. As a result 4 hosts are found including the DHCP server
itself (the first host). Then dhcdrop sends DHCPRELEASE message to the
server 192.168.1.1 from addresses (Ethernet & IP) of all the hosts
found in the subnet except DHCP server itself and stops execution for
60 seconds. Timeout is necessary because some DHCP servers hold giving
out IP addresses to a new client during little period of time after
receiving DHCPRELEASE from a previous client. In case of necessity
timeout's value can be changed with -w option. On the expiry of timeout
dhcdrop launches the process of receiving released IP addresses. We
succeeded in receiving IP addresses 192.168.1.5 (it was received ini‐
tially when starting the program), 192.168.1.3 and 192.168.1.4. The
last two addresses were successfully released by the server after
receiving DHCPRELEASE messages generated by dhcdrop. Failed to receive
the address 192.168.1.200, in spite of presence of this host in the
network, and the fact that from its address DHCPRELEASE message was
send. One of the reasons of failure was described in warning in the end
of the program's output: DHCP server before giving out the addresses
can check if the host with the requested IP address exists and only
after this it can give out the address if such a host is absent in the
network. If not, a new lease for this address will not be given out. In
this situation switching off the problem hosts fron the network manu‐
ally and sending DHCPRELEASE messages from these hosts' addresses to
the server (see an example below) can be helpful. After this it's nec‐
essary to restart the process of receiving IP addresses. But in our
case the problem isn't hidden here. The host 192.168.1.200 has a stati‐
cally set IP address and because of this it has never requested the
configuration from DHCP server. The necessity itself of stating the
legal network for launching the aggressive mode is necessary to check
of the address range given out by illegal DHCP server crosses the
address range of the subnet where it was discovered. If the address
ranges cross each other then ARP-scanning will be done with the hosts,
which have the correct configuration and will output the incorrect
information. Because of this in case of discovering crossing of the
address ranges aggressive mode will not be launched.
Sending DHCPRELEASE message
You will probably have a necessity to send DHCPRELEASE message manu‐
ally. For example, because of the reason mentioned in the previous
example. You can do it with a help of -R option:
$ sudo dhcdrop-i eth1 -R -s 192.168.1.1 -F 192.168.1.4 00:2D:1C:80:ED:12
Using interface: 'eth1'
Send DHCPRELEASE from 00:2D:1C:80:ED:12 client IP 192.168.1.4 to DHCP server 192.168.1.1
Finished.
Option -s sets server's IP address, -F set DHCP client's IP address,
00:2D:1C:80:ED:12 set client's Ethernet address. As a result such a
sort of packet will be send in the network:
16:13:43.887735 00:2d:1c:80:ed:12 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342:
(tos 0x10, ttl 64, id 29807, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 192.168.1.1.67: BOOTP/DHCP, Request from 00:2d:1c:80:ed:12,
length 300, xid 0xb2f04a28, Flags [none]
Client-IP 192.168.1.4
Client-Ethernet-Address 00:2d:1c:80:ed:12
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Release
Server-ID Option 54, length 4: 192.168.1.1
Client-ID Option 61, length 7: ether 00:2d:1c:80:ed:12
Scanning the network's segment
You can use ARP-scanning of the network for searching clients who
received incorrect configurational information. It is realized with a
help of -S option:
$ dhcdrop-i eth1 -S 192.168.1.0/24
Using interface: 'eth1'
Starting ARP-scanning for subnet 192.168.1.0/24.
IP address range 192.168.1.0 - 192.168.1.255.
WARNING: Source IP is not set (use option -F).
Using random value for source IP address: 192.168.1.195
1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1).
2. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200).
Finished.
According to the warning, which was printed by the program, when
launching, the source IP address wasn't set. Because of this dhcdrop
chooses a random IP address from address range of a stated subnet. If
you need to set a source address then use -F option. For this kind of
scanning factual settings of routing in your network aren't important.
Interface set by an option -i will always be used accepting that hosts
of the mentioned subnet are in the same Ethernet segment with the host
where dhcdrop is being launched. Also this option allows to discover
duplication of IP addresses in the same segment of the network even if
the scanning is being done from the host which IP address is being
duplicated by another host.
AUTHOR
This program was written by Roman Chebotarev <roma@ultranet.ru>
REPORTING BUGS
Any bugs/remarks/suggestions/wishes concerning this program please send
to <roma@ultranet.ru>
MAN FILE
Guidance page was made by Andrew Clark <andyc@altlinux.org>, basing on
the articles of the author of the program, web page http://www.net‐
patch.ru/en/dhcdrop.html
TRANSLATION
The translation from Russian into English was made by Anna Makhtinger
<mailmnoo@rambler.ru>
18/08/2009 DHCDROP(8)
