DHCP is a very commonly used protocol for the automatic assignment of TCP/IP configuration options. DHCP is defined in RFC 2131. "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCPIP network. DHCP is based on the Bootstrap Protocol (BOOTP) [7], adding the capability of automatic allocation of reusable network addresses and additional configuration options [19].  DHCP captures the behavior of BOOTP relay agents [7, 21], and DHCP participants can interoperate with BOOTP participants [9]." DHCP extensions for IPv6 is defined in RFC 3315.

Common values include:

• IP address
• Subnet mask
• Default gateway (router)
• DNS servers
• DNS domain name
• Lease time
• 802.1Q VLAN ID
• 802.1P L2 Priority
• Bootfile-Name
• TFTP Server IP address

DHCP is not without its issues, here are some of them:

• DHCP is a UDP based protocol and is easily spoofed
• DHCP lease exhaustion/starvation Denial of Service attacks
• Rogue DHCP server responding to clients, the sky is the limit with this attack
• Spoofed RELEASE packets Denial of Service attacks
• DISCOVER and REQUEST are broadcast, everyone hears them and anyone can respond
• No concept of authentication
• Unless Layer2 security is enforced rogue clients get a lease too
• Assigning rogue DNS server IPs to clients, allowing pharming attacks among others
• Vulnerabilities in the DHCP client, some allowing remote arbitrary code execution
• Vulnerabilities in the DHCP service, some allowing remote arbitrary code execution

Please contact us if you have any comments or would like to add to this diary entry.

A reader wrote in "PiXiE uses Wake-On-LAN to turn on machines after they power down, then feeds them a rootkit over BOOTP when they try to network boot (many systems automatically try network boot when woken-on-LAN."  A presentation can be found here: PiXiE: A Self-Propagating Network Boot Virus for Windows

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.