WEBVTT 0 00:01.510 --> 00:02.640 Welcome back! 1 00:02.650 --> 00:09.790 In the last video we have seen how DCP works what are the security problems in how a hacker could attack 2 00:09.840 --> 00:12.320 for the DHCP protocol. 3 00:12.320 --> 00:18.370 Let's move on and attack the DCP with a Discover flooding attack. 4 00:18.400 --> 00:20.250 I'm going to use you as a senior. 5 00:20.360 --> 00:27.120 We've already seen here senior before when I've shown you the CTP and SDP attacks you are senior. 6 00:27.150 --> 00:35.020 Oh first a DCP discover a flute functionality which should not be confused with an actual DCP starvation 7 00:35.050 --> 00:36.240 attack. 8 00:36.550 --> 00:40.250 The effect of this one is far more temporary. 9 00:40.450 --> 00:48.350 In this attack you are a senior since the ACP discover messages to the ACP server at a very high rate. 10 00:48.400 --> 00:55.030 Most probably far higher than what the ACP server can reasonably handle. 11 00:55.030 --> 01:01.050 Note that the ACP server is not as resilient as let's say a web server. 12 01:01.120 --> 01:07.840 This attack will probably make the DCP server unavailable for the duration of the attack. 13 01:07.870 --> 01:13.980 It will be unable to process any legitimate requests for the duration of the flute. 14 01:14.140 --> 01:22.060 Once the flute stops since the senior did not answer to any offer sent by this server the server will 15 01:22.120 --> 01:28.270 automatically delete all flood related entries from ICS releases database. 16 01:28.270 --> 01:36.460 After a few minutes timeout licks lunch the attack in this lab I'm gonna attack the DCP server of my 17 01:36.460 --> 01:40.980 land which is also the default gateway. 18 01:41.000 --> 01:48.830 First I want to open wire shark to see the generated traffic and then start Yersinia is the route I'm 19 01:48.830 --> 01:49.460 starting. 20 01:49.460 --> 01:50.140 White Shark 21 01:54.770 --> 01:57.040 capture options. 22 01:57.230 --> 02:07.390 I'm selecting the interface ENP so is free and start if you want to see only the ACP packets you can 23 02:07.390 --> 02:09.830 apply a display filter in wire shell. 24 02:10.510 --> 02:16.160 If you're right DCP in this version of wire shark it won't recognize it. 25 02:16.390 --> 02:21.700 You'll see it didn't recognise this filter but if you're right. 26 02:21.730 --> 02:31.450 But B both p e to recognise the option would be comes from both protocol and where a shark will filter 27 02:31.540 --> 02:41.050 and display only the ACP packets but B is a legacy protocol of the ACP the H ACP has sometimes in the 28 02:41.050 --> 02:52.920 past replaced but B we are seeing only the ACP packets in wire shark in times starting yet a C minus 29 02:52.920 --> 02:59.260 G means that I want to start a graphical interface okay perfect. 30 03:00.960 --> 03:10.540 This is our senior in dial click on a launch a tick and then I'll select the DCP tab we see here. 31 03:10.640 --> 03:18.310 All available attacks on DCP sending discover packet is the option used for the flooding attack. 32 03:18.320 --> 03:20.560 I'm gonna launch in a few seconds. 33 03:20.840 --> 03:28.610 The next option is for setting up a rogue the ACP server in the last option is for sending the ACP release 34 03:28.610 --> 03:36.170 packets to the server so the server considers the IP addresses available to be offered to other clients 35 03:37.200 --> 03:42.720 so this is also a kind of denial of service attack and I'm launching the attack 36 03:53.410 --> 03:58.760 Lexi the captured traffic nowhere shark in the not these bonds of broadcast. 37 03:58.780 --> 04:02.570 The ACP discover messages sent to the server. 38 04:02.740 --> 04:05.610 In fact they are sent to the broadcast address. 39 04:06.040 --> 04:16.210 But the server will process them it's sending hundreds of the ACP discover messages per second. 40 04:16.390 --> 04:19.220 Now the server is under a lot of stress. 41 04:19.670 --> 04:26.500 It's the ACP Lizzie's database is probably unavailable to legitimate clients. 42 04:26.510 --> 04:30.130 Let's test if I can still communicate on the Internet 43 04:33.490 --> 04:42.660 it's not working because that the ACP server is also the default gateway and is under attack destination 44 04:42.660 --> 04:50.240 host unreachable I am stopping the attack least attacks and stop all 45 04:54.370 --> 04:57.190 being we'll start shortly. 46 04:57.190 --> 04:58.750 This is a temporary attack 47 05:02.580 --> 05:03.030 okay. 48 05:03.040 --> 05:04.090 It has started 49 05:08.490 --> 05:13.510 if you want to launch the attack at the console you execute is rude. 50 05:13.580 --> 05:18.780 You are senior DCP minus attack one 51 05:24.090 --> 05:27.210 Okay vex all in the next lecture. 52 05:27.210 --> 05:30.660 I'll show you a real DCP starvation attack.