DHCP starvation

../../_images/sec-dhcp-starvation.png

DHCP starvation is an attack that works by broadcasting vast numbers of DHCP requests with spoofed MAC addresses simultaneously, exhausting the DHCP server IP pool. This task checks that a customer can only obtain a limited number of IPv4 addresses, so that DHCP starvation is prevented. Customer takes the allowed number of addresses, then verifies that it cannot get one more.

The test will not detect if an old address is released.

A DHCP server is required for the DHCP starvation test.

References

The test performed conforms to SAVI section 3.1.2.

Impact

DoS

Test procedure

  1. Customer verifies connectivity to ISP.

  2. Customer takes the allowed number of IPv4 addresses.

  3. Customer then sends another DHCP request.

Fail criteria

  • Customer cannot obtain the allowed number of IPv4 addresses.

  • Customer can obtain more than the allowed number of IPv4 addresses.

Parameters

General

  • Customer: A Test Agent interface acting as a customer.

  • ISP: A Test Agent interface acting as a central node on a trusted port.

  • Max addresses: The maximum number of IPv4 addresses a customer is allowed to hold. Default: 3.