Does anyone know if OpenDNS is subject to DHCP Option 121 abuse?
I just read an article about possible attacks that can force users on a LAN to connect to an alternative "rogue" DHCP server.
The article appears in Krebs on Security, citing a study by researchers at Leviathan Security that documents how they were able to set a separate DHCP route on the same network, also setting itself as a gateway, setting routing rules that have a higher priority than the routes for the virtual network interface a VPN creates. They call this "pushing a route."
That means network traffic can be sent over the same interface as the DHCP server instead of the virtual network interface. The routes they pushed in their research were never encrypted by the VPN's virtual interface but instead transmitted by the network interface talking to the DHCP server. They could then select which IP addresses go over the VPN's encrypted tunnel and which go over the network interface talking to their created DHCP server.
Leviathan found they can force VPNs on the local network that already had a connection to arbitrarily request a new one, a well documented tactic known as DHCP starvation attack, flooding the DHCP server with requests that consume all available IP addresses that can be allocated. With the network's legitimate DHCP server tied up , attackers can then have their rogue DHCP server respond to all pending requests.
VPNs also continue reporting as connected and never engaged their available kill switches to drop their rogue connection.
That is all very shocking to me.
Please sign in to leave a comment.
Comments
1 comment