Dom, 20 de Maio de 2012
Suprimindo Servidores DHCP PDF Imprimir E-mail


Supported platforms: Windows, Linux, FreeBSD, NetBSD, OpenBSD & DragonFlyBSD.
When using a network DHCP, and some of the shortcomings of managed switches with the ability to configure traffic filtering, recurring problems with the appearance of false DHCP servers. Usually, the cause of this problem is illiterate user who is not connected SOHO router to the network, or another young talent who wants to study communications technologies in practice. One way or another, but the result is the same - your customers are receiving konfigruatsionnuyu information from such "pests" are out of the normal operation of the network. This article describes the program dhcdrop, allowing to solve a similar problem by suppressing the illegal DHCP servers.

 

In addition, this program is a good diagnostic tool to verify that the DHCP server, and as a means of stress testing. Application of this program for any other purpose is on your conscience ;-)



Theoretical framework

The protocol is defined DHCP option, which sets the duration of the lease of the IP address ( Lease time ) - this time on which the DHCP server gives the IP address for use by the client. After this time interval, the client must execute an attempt to update the IP address in order to renew the lease. For the server issuing IP addresses to lease means that for the lease time the IP address can only be issued to the owner of rent to anyone except him. Identification of the customer server is based on MAC addresses. Typically, each server has a pool of dynamic IP addresses, ie, IP addresses are not assigned to specific MAC addresses to be issued dynamically on request to any customer. Pool on SOHO routers in the default configuration has a small size - from several tens to hundreds of addresses 2. In the case of software, which serves as a DHCP server, the value of the pool determines the person who sets up. If the address pool is exhausted, then the DHCP server ignores requests from new customers (perhaps documenting it in the logs) - that is, in fact, idle.

Thus, in the event of a network of false DHCP can be neutralized quite simple - to obtain a lease on all available on a given server IP address, each time sending requests from unique clients. The longer the lease in the server configuration, so as to b on lshy term DHCP server has been neutralized in the case of the exhaustion of the dynamic pool. For most SOHO routers Lease Time number of days or even weeks. If you are using a DHCP server, WinGate, dhcpd and other similar software, the time depends on the imagination of a man who set it up.



The principle of operation

The program opens the specified on the command line interface in promiscuous mode, generates a DHCP request (DHCPDISCOVER), using a random outgoing MAC address (if the behavior does not specify otherwise), and sends it to the interface.

 01:58:04.681600 00:70:de:3b:b9:05 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 64, id 33964, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:70:de:3b:b9:05, length 300, xid 0xcc1cfc5c, Flags [none] Client-Ethernet-Address 00:70:de:3b:b9:05 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Parameter-Request Option 55, length 3: Domain-Name-Server, Default-Gateway, Subnet-Mask Hostname Option 12, length 12: "DHCP-dropper" Vendor-Class Option 60, length 12: "DHCP-dropper" Client-ID Option 61, length 7: ether 00:70:de:3b:b9:05
Then moves on to wait for a reply (DHCPOFFER) server. If you receive a reply with a proposal to lease an IP address, the interface is sent to the following DHCP request (DHCPREQUEST) to which the server responds with DHCPACK-Service confirming the use of the client's IP address. On receipt of this operation is proposed to lease the server IP address is completed. The program changes the MAC address of the source and re-sends a DHCPDISCOVER, then all the above steps to obtain a new IP address lease repeated. It is worth noting that the program affects not only the MAC address of the client in a DHCP message, and MAC address in the header of Ethernet-frame. This feature brings the best performance of the software to work real DHCP client (and also allows you to bypass DHCP snooping ).

 

Cycle to obtain an IP address from the server is completed when the specified parameter received the maximum number of IP addresses, or in case of exhaustion of a dynamic pool of servers. In the second case, we can celebrate. In the first, if there is still a goal to suppress this DHCP server, then it makes sense to specify a different value for the maximum number of rented addresses.



Description of program options

In UNIX-like operating system software must be run as user root (excluding the case of Windows Help-h), if you forget about it, then it is certainly about this recall.

 $ dhcdrop Usage: dhcpdrop [-h] [-D] [-t] [-y] [-r] [-b] [-a] [-A] [-f] [-R] [-q] [-m <count>] [-c <count>] [-n <hostname>] [-N <clientname>] [-p <port>] [-P <port>] [-w <secs>] [-T <timeout>] [-M <max-hosts-scan>] [-l <MAC-address>] [-L <network>] [-S <network/mask>] [-F <from-IP>] [-s <server-IP>] [-C <children count (2 - 32)>] [<initial MAC address>] -i <interface-name|interface-index> DHCP-dropper v0.5 was written by Chebotarev Roman at 05.08.2009 Home page: http://www.netpatch.ru/dhcdrop.html Use option -h for help. Exit.
Detailed description:
  • -h - displays help-message.
  • -D - View a list of names and index of network interfaces. Relevant in the OS Windows - see the example below .
  • -t - test mode. In this mode dhcdrop ​​does not suppress the server. Made only sending DHCPDISCOVER, if it comes to illegal server response, the program zaveraetsya return code 200 and displays the string form DHCP SRV: 10.7.7.1 (IP-hdr: 10.7.7.1) SRV ether: 00:02:44:75:77:E4, YIP: 10.7.7.205 containing minimal information about unproblematic DHCP server.
  • -y - means the answer "yes" to any of the programs.
  • -r - disable randomization MAC source address. Each subsequent MAC source address is incremented by 1.
  • -b - indicates a need for a flag BROADCAST sent in DHCP packets.
  • -a - always expect a response from the server on port DHCP client by default (68), even if you set the port number of the client other than the default.
  • -A - always wait for a response from the port of DHCP server by default (67), even if you set the port number is different from the default values.
  • -f - mode request flood DHCPDISCOVER. Used with caution. Especially useful for stress testing the server. In the case of specifying option -r all outgoing packets have the same MAC address.
  • -R - DHCPRELEASE sends a message to the MAC source address specified at startup and the IP address specified using the option -F to the server specified by option -s .
  • -q - "quiet" mode. We derive a minimum of information.
  • -m count - the maximum number of attempts to get a response from the server.
  • -c count - the maximum number of addresses leased from a server.
  • -n hostname - the value of the DHCP options HostName (Default - "DHCP-dropper")
  • -N clientname - the value of the DHCP options Vendor-Class (default - "DHCP-dropper")
  • -p port - the port used by the client for sending DHCP messages. Default - 68.
  • -P port - server port on which to send DHCP messages. Default - 67.
  • -w секунд - sets the timeout restart of the process to obtain an IP address when you use aggressive mode . Default - 60 seconds.
  • -T timeout - sets the timeout response from the server (in seconds). Default - 3 seconds.
  • -M хостов-максимум - the maximum number of hosts scanned in the case of using aggressive mode .
  • -l MAC-address - Ethernet address of the server you want to ignorinovat when executing a search of false DHCP servers on the network. This option should specify the address of the DHCP server is responsible for handing out addresses in a given network segment. Can be specified multiple addresses - each must be preceded by a key -l .
  • -L легальная-сеть - indicates a legal IP subnet for the selected interface. Using this option automatically includes an aggressive mode of getting IP addresses. Can be specified multiple networks - each must be preceded by a key -L . Detailed description see below .
  • -S сеть/маска - ARP network scan 'the network' using the network mask 'mask' in CIDR notation. Source IP address is given the option -F . If the source IP address is not specified - uses a random address from the range specified subnet. Example of use , see below .
  • -F исходящий-IP-адрес - Specifies the source IP address for a network scan (option -S ), or the IP address of the DHCP client to send a message DHCPRELEASE (option -R ).
  • -s IP-адрес-сервера - specifies the IP address of the DHCP server. Used with option -R .
  • -C count - the number generated by child processes. Compatible only with the flag -f . Used to increase the number of packets sent per unit time. When this parameter is 30, 10,000 packets were generated in less than 1.5 seconds.
  • -i interface - the name or the index of the network interface (see key-D). Can not be " any "! The only required parameter of the program.
  • initial MAC address - specifies the MAC source address to use when sending the first DHCP message, or used continuously, in the case of option '-f' (Flood), along with the option '-r' . If not specified, it uses a random MAC address of the source.



Using

Below are the most frequently used modes of running the program.

 

View a list of interfaces.
First you need to know the name of the network interface on which the DHCP server. If a UNIX-like operating systems to understand this is quite simple, guided output of the command ifconfig, then in the Windows operating system is not so obvious. On this first run the program with a key-D:

According to the deduced information is obvious that we needed a second interface. The argument for a key program-i can specify either the interface index 2, or his name: \ Device \ NPF_ {0C796DB5-22D9-46AB-9301-9C7ADC2304AF}. In my opinion much easier to use the index and run a program instead of specifying the name of the index, for example: dhcdrop-i 2


Interactive mode by default.

The easiest option to use the program to find and select repressed server manually:

As you can see - when receiving a response from the DHCP server dhcdrop ​​reports received from the server information about the proposed IP address and asks about the need to suppress this server. After receiving a negative response - continues to search for servers on a network server ignoring detected earlier. In the case where the answer is - begins the process of suppression of the server specified above method.



Automatic suppression of all the servers except legitimate.

If we know (and generally we know) MAC address of the legitimate DHCP server on our network, the operation of the suppression of false servers can be simplified:

In such a use dhcdrop ​​suppresses any server other than the specified option -l server, without asking further questions (through the use of option -y ).

Test mode.

Test mode ( -t ) is useful for program execution from scripts in an automated mode. Below is a simple example script:

In line 4, you run dhcdrop ​​in test mode, with an indication of the legal options for the network DHCP server ( -l ), optional test mode ( -t ) and the option of specifying the maximum number of attempts to send a DHCPDISCOVER when searching the server ( -m ). If none of the submitted requests will not answer - the program exits with 0. If you receive a response from the server is not specified with -l , the program exits with code 200, which causes the subsequent launch of the program with the parameters defining the suppression of any DHCP server on the network, except legal.


Use aggressive mode get addresses.

As you might guess from the description of the protocol DHCP - if the client has already received a set of configuration data from an illegal DHCP server, the server will not give this re-set to another client until the lease expires. Hence a simple exhaustion pool of IP addresses will not save customers have not received the correct configuration data - the server will issue these addresses only the original request to their clients and will ignore requests from dhcdrop ​​. The next time you try to update a customer address once again receive information from an illegal DHCP server, and will continue until you disconnect an illegal DHCP server.

To solve such problems in dhcdrop ​​since version 0.5. added aggressive mode to get the IP addresses. Included is the option -L pointing to a legitimate IP subnet for the Ethernet network segment. Algorithm it is the following:
  1. dhcdrop ​​starts Normal mode suppression and exhaust the entire pool of available IP addresses of illegal DHCP server.
  2. Analyzes the first DHCPOFFER received from illegal DHCP. With the help of the network mask and IP address of the client issued a server receives the IP address of the network served by this server.
  3. Starts ARP-subnet scan obtained in order to identify hosts receiving no proper configuration information. By default, the number of scan hosts limited by the number 512 (you can change the option -M ) - some server configuration issue naobry snorkeling / 8, which corresponds to approximately 16 million hosts - Scanning this address range will take a very long time.
  4. DHCP server sends the message DHCPRELEASE from each of the found hosts (excluding the server).
  5. Waits 60 seconds (default value can be changed by option -w ) and then restarts the process of getting IP addresses.

As an example, run dhcdrop ​​with the same parameters as in the previous example, but further indicate a legal IP network 10.7.7.0.

Explanations for the results of the program.

Following the withdrawal of the inscription "Trying to use agressive mode." begins ARP scanning subnet serviced by an illegal DHCP server in the specified range. As a result, found 4 host, including the DHCP server itself (1st host). Then dhcdrop ​​sends server 192.168.1.1 DHCPRELEASE messages from addresses (Ethernet & IP) found all the hosts on the subnet except the DHCP server and stops the execution for 60 seconds. The timeout is needed because some DHCP servers keep issuing IP addresses to a new client for a short time after receiving the message DHCPRELEASE from previous clients. In the case of neobhodmosti timeout value can be changed option -w . After timeout dhcdrop ​​starts the process of getting liberated IP addresses. Successfully managed to get the IP address of 192.168.1.5 (it was originally received at the program startup), 192.168.1.3 and 192.168.1.4. The last two addresses were successfully osobozhdeny server after receiving DHCPRELEASE generated dhcdrop ​​. Unable to get the address of 192.168.1.200 despite the presence of the host on the network, and then that of his address the message was sent DHCPRELEASE. One of the reasons for the failure described in the warning at the end of the output of the program - DHCP server to issue addresses can check whether there is a network host with the requested IP address, and only then - to give the address, if any host on the network is missing. Otherwise - a new lease at this address will not be issued. In this situation, can help to disable problematic hosts on the network manually and sending messages DHCPRELEASE from the addresses of these hosts to the server (see example below), and then to restart the process of getting IP addresses.
But in our case the problem is not the case - host 192.168.1.200 is statically fixed address and therefore never asked for the configuration from a DHCP server.
Itself is required to specify the legal network to launch an aggressive regime that would be needed to check - does not intersect the address range is issued to an illegal DHCP server with the address space of the subnet to which it is located. If the address spaces overlap - ARP scanning will be conducted by hosts having the correct configuration and will display incorrect information. Because in case of crossing address ranges aggressive mode does not start.

 

 

Sending a message DHCPRELEASE.
Perhaps you have a need to send messages DHCPRELEASE in manual mode. For example, for the reasons stated in the previous example. This can be done using the option -R :

 

Option -s specifies the IP address of the server, -F - IP address DHCPklienta, 00:2D:1C:80:ED:12 - Ethernet address of the client. As a result, the network sent a package like this:

 


Scan the network segment.
You can use the ARP network scan to find the client has not received a valid configuration information. Carried out using the option -S :

 

 

It follows warnings from the printed program - when you start has not been set the source IP address, because dhcdrop ​​selects a random IP address from the address range specified subnet. If you need to specify the source address - use the option -F .
For this type of scan is not important the actual routing configuration in your network. Will always use the interface specified with -i on the basis that the hosts of this subnet are in the same Ethernet segment as the host is running dhcdrop ​​.
Likewise, this option allows you to detect duplicate IP addresses in one network segment, even if the scanning is performed with a host whose IP address is duplicated by another host.

 

 

Source: http://www.netpatch.ru/dhcdrop.html