DHCP Process

DHCP is a very common protocol and we often here about it. DHCP is much more complex than it looks. DHCP IP address assignment process goes through a few steps explained in this article.

DHCP stands for Dynamic Host Configuration Protocol and is used to automatically assign IP configuration to hosts connecting to a network. The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCPIP network. DHCP is based on the Bootstrap Protocol (BOOTP)A DHCP client makes a request to a DHCP server that may or may not reside on the same subnet. The automatic distribution of IP configuration information to hosts eases the administrative burden of maintaining IP networks. In its simplest form, DHCP distributes the IP address, subnet mask and default gateway to a host, but can include other configuration parameters such as name servers and netbios configuration.

A DHCP client goes through six stages during the DHCP process. These stages are:

Initializing

Selecting

Requesting

Binding

Renewing

Rebinding

The DHCP client starts the DHCP process by issuing a DHCPDISCOVER message to its local subnet on UDP port 67. Since the client does not know what subnet it belongs to, a general broadcast is used (destination address 255.255.255.255). If the DHCP server is located on a different subnet, a DHCP-relay agent must be used. The DHCP-relay agent can take several forms. The ip-helper IOS command is used to set up a DHCP-relay agent on a Cisco router.The DHCP-relay agent forwards the DHCPDISCOVER message to a subnet that contains a DHCP server. Once the DHCP server receives the DHCPDISCOVER message, it replies with a DHCPOFFER message. The DHCPOFFER message contains the IP configuration information for the client. THE DHCPOFFER message is sent as a broadcast on UDP port 68. The client will know that the DHCPOFFER message is intended for it because the client's MAC address is included in the message.

If the client is on a different subnet than the server, the message is sent unicast to the DHCP-relay agent on UDP port 67. The DHCP-relay agent broadcasts the DHCPOFFER on the client's subnet on UDP port 68.

After the client receives the DHCPOFFER, it sends a DHCPREQUEST message to the server. The DHCPREQUEST message informs the server that it accepts the parameters offered in the DHCPOFFER message. The DHCPREQUEST is a broadcast message, but it includes the MAC address of the server, so that other DHCP servers on the network will know which server is serving the client.

The DHCP server will send a DHCPACK message to the client to acknowledge the DHCPREQUEST. The DHCPACK message contains all the configuration information that was requested by the client. After the client receives the DHCPACK, it binds the IP address and is ready to communicate on the network. If the server is unable to provide the requested configuration, it sends a DHCPNACK message to the client. The client will resend the DHCPREQUEST message. If the DHCPREQUEST message does not return a DHCPACK after four attempts, the client will start the DHCP process from the beginning and send a new DHCPDISCOVER message. There is a great diagram of the DHCP process at the "Understanding DHCP" link at the end of this article.

After the client receives the DHCPACK, it will send out an ARP request for the IP address assigned. If it gets a reply to the ARP request, the IP address is already in use on the network. The client then sends a DHCPDECLINE to the server and sends a new DHCPREQUEST. This step is optional, and is often not performed.

Since the DHCP works on broadcast, two pc which are on different networks (or VLANs) cannot work on the DHCP protocol. Does that mean we should have one dedicated server of DHCP in each vlan? No … in Cisco devices IP helper-address command helps to broadcast DHCP messages from one vlan to other vlan.For more detailed discussion on the DHCP protocol go through the below link from cisco.com

http://www.cisco.com/warp/public/473/100.html

CONVERTING DECIMAL TO HEXADECIMAL

AP Spoofing in IEEE 802.11 Network.

AP Spoofing in IEEE 802.11 Network.

The access point spoofing (AP Spoofing) is a typical man-in-the middle attack. The attacker suits himself between two nodes and controls all the traffic between them in this attack. This threat is very dangerous as the attacker is able to catch all the information traveling across the network. It is not so easy rather complex to make a man-in-the-middle attack in a wired network because this would require real access to the network. But there is no need of physical existence in wireless network and so preferred by the attacker. The first step is to set up a rogue AP for association between a victim node and legitimate AP. Then the rogue AP is established by copying all the configuration of the legitimate one: SSID, MAC address etc.

The next step is to wait for a new user trying to connect to the network where it gets connection with the rogue AP. The users can connect by themselves with the rogue AP or the attacker can create a denial of service attack to the legitimate AP to interrupt connections and automatically new users get into trap with the rogue AP. In IEEE 802.11 networks, the subscriber nodes select AP by the strength of the receiving signal. The attacker only need to do is to ensure that his AP has greater signal strength as seen by the victim. To accomplish that, the attacker tries to place his AP nearer to the victim than the legitimate AP, or to use a different technique by using directional antennas. The rogue access point is shown in figure below.

Figure: Access Point Spoofing by a Rogue Node.

Thus the victim node gets connection to the rogue AP and continues its works as it does with the legitimate AP since it does not know the real fact. The attacker captures all the necessary information’s starting from passwords when the victim tries to login for different accesses. Getting all the required information’s the attacker achieves the ability to penetrate the legitimate network.

This attack is possible in IEEE 802.11 network because it doesn’t have strong two-way authentication between AP and nodes. AP credentials are usually broadcasted across the network for subscriber nodes. As a result eavesdropping the network becomes easy for the attacker and he can get all the information needed. The user nodes may use WEP authentication to authenticate themselves to the AP which is also vulnerable but still more secure. An attacker needs to eavesdrop a lot of traffic and try cryptanalysis in order to get the password.