1 00:00:00,400 --> 00:00:06,250 In spoofing attacks, the attacker places a rogue DHP server on the network. 2 00:00:07,360 --> 00:00:13,000 There are two main features of the DCPI mechanism that emerges, the spoofing attack. 3 00:00:14,340 --> 00:00:19,560 First, there's no authentication process and priority in the mechanism. 4 00:00:20,570 --> 00:00:27,110 Second, as clients are turned on and request an address, the server with a fastest response is used. 5 00:00:28,200 --> 00:00:34,110 So if the device receives a response from the rogue server first, the rogue server can assign any address 6 00:00:34,110 --> 00:00:37,410 as well as control which device it uses as a gateway. 7 00:00:38,800 --> 00:00:46,060 So a well-designed attack can funnel traffic from local to a rogue server that logs all the traffic 8 00:00:46,060 --> 00:00:51,590 and then forwards that traffic out to the correct gateway to the device. 9 00:00:51,610 --> 00:00:55,510 And this action would be almost transparent, right? 10 00:00:56,550 --> 00:01:00,250 That's the attacker can steal information pretty much invisibly. 11 00:01:00,710 --> 00:01:02,170 Are you going to how are you going to find that? 12 00:01:03,190 --> 00:01:04,120 That's why you're here. 13 00:01:05,040 --> 00:01:12,270 Any clue you in on another important point, while setting up a rogue server, it's we cannot be so 14 00:01:12,270 --> 00:01:17,370 sure whether the client received the settings of the rogue server or the legitimate server. 15 00:01:18,710 --> 00:01:24,260 That's why it's way better to use the spoofing attack with a DCP starvation attack. 16 00:01:24,680 --> 00:01:25,180 All right. 17 00:01:25,700 --> 00:01:34,610 In a DHP starvation attack, an attacker broadcast a large number of DHP request messages with spoofed 18 00:01:34,610 --> 00:01:36,020 source MAC addresses. 19 00:01:37,080 --> 00:01:44,010 If the legitimate DHP server in the network starts responding to all these bogus DHP request messages, 20 00:01:44,280 --> 00:01:50,340 available IP addresses and the server scope will be depleted within a very short span of time. 21 00:01:51,840 --> 00:01:59,520 Now, once the available number of IP addresses in the server is depleted, network attackers can then 22 00:01:59,520 --> 00:02:07,470 set up a rogue Ekpe server and respond to new DHP requests from the network DHP clients. 23 00:02:08,190 --> 00:02:15,990 By setting up a rogue DHP server, the attacker can now launch a whole DHP spoofing attack. 24 00:02:17,760 --> 00:02:24,870 So here is how we can perform a spoof attack together with DHP, Starvation Attack. 25 00:02:25,850 --> 00:02:31,970 So we'll create a lot of DHP discovery packets to request new IP addresses from the DHP server. 26 00:02:32,820 --> 00:02:35,730 DGP survey replies to these requests. 27 00:02:38,180 --> 00:02:39,880 IP address space is limited. 28 00:02:40,800 --> 00:02:45,540 For example, a class C subnet has about 250 IP addresses available. 29 00:02:47,110 --> 00:02:54,340 So since the IP addresses are used for fake Mac addresses, there aren't any more IP addresses for legitimate 30 00:02:54,340 --> 00:02:54,760 clients. 31 00:02:56,460 --> 00:03:03,090 DHP cannot respond to the new requests and the clients, which cannot have IP addresses become out of 32 00:03:03,090 --> 00:03:03,500 service. 33 00:03:04,540 --> 00:03:10,930 So now we'll set up a rogue server, which is the only server to respond to the client's IP address 34 00:03:10,930 --> 00:03:11,980 requests right now. 35 00:03:13,160 --> 00:03:19,880 The rogue DHP server starts distributing IP addresses and other TCP IP configuration settings to the 36 00:03:19,880 --> 00:03:21,500 network DHP clients. 37 00:03:22,610 --> 00:03:28,520 TCP IP configuration settings include default gateway and DNS server IP addresses. 38 00:03:30,400 --> 00:03:36,940 So now we can replace the original legitimate default gateway, I.P. address and DNS server IP address 39 00:03:36,940 --> 00:03:39,190 with our own IP address. 40 00:03:42,510 --> 00:03:48,540 Once the default gateway I.P. address of the network devices changed, the network clients start sending 41 00:03:48,540 --> 00:03:52,050 the traffic destined to outside networks to the attackers computer. 42 00:03:53,030 --> 00:03:57,950 The attacker can now captor's sensitive user data and launch a man in the middle of attack.