Skip to main content
SpringerLink
Log in

Detecting stealth DHCP starvation attack using machine learning approach

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Dynamic Host Configuration Protocol (DHCP) is used to automatically configure clients with IP address and other network configuration parameters. Due to absence of any in-built authentication, the protocol is vulnerable to a class of Denial-of-Service (DoS) attacks, popularly known as DHCP starvation attacks. However, known DHCP starvation attacks are either ineffective in wireless networks or not stealthy in some of the network topologies. In this paper, we first propose a stealth DHCP starvation attack which is effective in both wired and wireless networks and can not be detected by known detection mechanisms. We test the effectiveness of proposed attack in both IPv4 and IPv6 networks and show that it can successfully prevent other clients from obtaining IP address, thereby, causing DoS scenario. In order to detect the proposed attack, we also propose a Machine Learning (ML) based anomaly detection framework. In particular, we use some popular one-class classifiers for the detection purpose. We capture IPv4 and IPv6 traffic from a real network with thousands of devices and evaluate the detection capability of different machine learning algorithms. Our experiments show that the machine learning algorithms can detect the attack with high accuracy in both IPv4 and IPv6 networks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Among 65536, one each was allotted to malicious client and server itself. Other two IP addresses, 10.100.0.0 and 10.100.255.255 were Network and Broadcast address respectively and were not used.

References

  1. Dynamic ARP Inspection. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html. Accessed 23 Sept 2017

  2. Droms, R.: RFC2131: Dynamic Host Configuration Protocol. Internet Engineering Task Force (1997)

  3. Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., Carney, M.: RFC3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6). Internet Engineering Task Force (2003)

  4. Gobbler. http://gobbler.sourceforge.net/. Accessed 23 Sept 2017

  5. DHCPIG. https://github.com/kamorin/DHCPig. Accessed 23 Sept 2017

  6. Tripathi, N., Hubballi, N.: Exploiting DHCP server-side IP address conflict detection: A DHCP starvation attack. In: International Conference on Advanced Networks and Telecommunication Systems (ANTS), pp. 1–3 (2015)

  7. Aburomman, A.A., Reaz, M.B.I.: A survey of intrusion detection systems based on ensemble and hybrid classifiers. Comput. Secur. 65, 135–152 (2017)

    Article  Google Scholar 

  8. Al-Yaseen, W.L., Othman, Z.A., Nazri, Z.A.: Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system. Expert Syst. Appl. 67, 296–303 (2017)

    Article  Google Scholar 

  9. Liu, L., Zuo, W.L., Peng, T.: Detecting outlier pairs in complex network based on link structure and semantic relationship. Expert Syst. Appl. 69, 40–49 (2017)

    Article  Google Scholar 

  10. DHCP Snooping. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html. Accessed 23 Sept 2017

  11. Xing, X., Shakshuki, E., Benoit, D., Sheltami, T.: Security analysis and authentication improvement for IEEE 802.11i specification. In: Global Telecommunications Conference (GLOBECOM), pp. 1–5 (2008)

  12. JNetPcap. http://jnetpcap.com/docs/javadocs/jnetpcap-1.4/index.html. Accessed 23 Sept 2017

  13. Scapy. http://www.secdev.org/projects/scapy/. Accessed 23 Sept 2017

  14. Issac, B.: Secure ARP and secure DHCP protocols to mitigate security attacks. Int. J. Netw. Secur. 8(2), 107–118 (2009)

    Google Scholar 

  15. Droms, R., Arbaugh, W.: RFC3118: Authentication for DHCP Messages. Internet Engineering Task Force (2001)

  16. Jerschow, Y. I., Lochert, C., Scheuermann, B., Mauve, M.: CLL: A cryptographic link layer for local area networks. In: International Conference on Security and Cryptography for Networks (SCN), pp. 21–38 (2008)

  17. Hubballi, N., Tripathi, N.: A closer look into DHCP starvation attack in wireless networks. Comput. Secur. 65, 387–404 (2017)

    Article  Google Scholar 

  18. Bishop, C.M.: Neural Networks for Pattern Recognition. Oxford University Press, Inc., Oxford (1995)

    MATH  Google Scholar 

  19. Chien, Y.: Pattern classification and scene analysis. IEEE Trans. Autom. Control 19(4), 462–463 (1974)

    Article  Google Scholar 

  20. Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Mach. Learn. 29(2–3), 131–163 (1997)

    Article  MATH  Google Scholar 

  21. Martinus, D., Tax, J.: One-Class Classification: Concept-Learning in the Absence of Counterexamples. Ph.D. Thesis, Delft University of Technology (2001)

  22. Demerjian, J., Serhrouchni, A.: DHCP authentication using certificates. In: Security and Protection in Information Processing Systems, pp. 456–472. Springer (2004)

  23. OConnor, T.: Detecting and responding to data link layer attacks. http://www.sans.org/reading-room/whitepapers/intrusion/detecting-responding-data-link-layer-attacks-33513. Accessed 23 Sept 2017

  24. de Graaf, K., Liddy, J., Raison, P., Scano, J., Wadhwa, S.: Dynamic Host Configuration Protocol (DHCP) Authentication using Challenge Handshake Authentication Protocol (CHAP) Challenge. US Patent 8,555,347 (2013)

  25. Port Security. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html. Accessed 23 Sept 2017

  26. Patrick, M.: RFC3046: DHCP Relay Agent Information Option. Internet Engineering Task Force (2001)

  27. Mukhtar, H., Salah, K., Iraqi, Y.: Mitigation of DHCP starvation attack. Comput. Electr. Eng. 38(5), 1115–1128 (2012)

    Article  Google Scholar 

  28. Tax, D.M.J., Muller, K.R.: A consistency-based model selection for one-class classification. In: International Conference on Pattern Recognition (ICPR), pp. 363–366 (2004)

  29. Tax, D.M.J.: DDtools, the Data Description Toolbox for Matlab, version 2.1.2 (2015)

Download references

Author information

Authors and Affiliations

  1. Discipline of Computer Science and Engineering, School of Engineering, Indian Institute of Technology Indore, Indore, 453552, India

    Nikhil Tripathi & Neminath Hubballi

Authors
  1. Nikhil Tripathi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Neminath Hubballi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nikhil Tripathi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tripathi, N., Hubballi, N. Detecting stealth DHCP starvation attack using machine learning approach. J Comput Virol Hack Tech 14, 233–244 (2018). https://doi.org/10.1007/s11416-017-0310-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-017-0310-x

Keywords

Search

Navigation