I need help.
I'm running into some trouble while trying to protect my router from a DHCP starvation attack. I'm attempting to use filter rules and mangle rules, but they don't seem to detect any traffic from the attacker. The attacker is spamming DHCP Discover packets to my DHCP router.
Can a MikroTik router handle this kind of protection, or do I need a switch that supports DHCP Snooping instead? If anyone has successfully implemented rules to protect a DHCP server from starvation attacks, please let me know.
This may not apply but...
I have in the deep past had an issue where a switch was doing proxy arp (default)
(There were also other configuration issues)
The Mikrotik would arp for the address it was going to assign, and the switch would helpfully answer.
The Mikrotik would try next address, switch still helpful...
Mikrotik would run out of IP addresses to assign.
At my university, we recently held a fun student competition where we played a red-team/blue-team scenario. I was on the blue team, and the red team performed a DHCP starvation attack against our router. We tried several mitigation scripts we found online, but none of them worked.
After the competition, we asked the red team what they did, and it turned out they used a custom script that sent a large number of DHCP discovery packets to our router. We examined the script afterward and confirmed that it was simply flooding the router with DHCP discovery signals.
Is there any reliable solution or mitigation for this kind of attack? If the solution requires specific switch features, please let me know.
The quickest way is to turn off the router, so it's impossible to carry out any attack...
Or unplug the Ethernet cable coming from the "reds"...
The "competition" rules should be reviewed.
In home environments, it's pretty useless;
in corporate environments, it shouldn't be possible for someone to connect to any switch and send packets from an unknown MAC address...
In "HotSpot" environments and similar it is impossible to stop, if the MAC is random, you can't limit the number of registered clients, otherwise you don't know if you are blocking a real device or a fake one...
So as a simulation, it's pretty vague, if not useless.
I get the point, but if in the future I configure a public Wi-Fi network, how can I secure my router? Is it possible to keep using a MikroTik router, or do I need more advanced devices?
However, the service can be split in two, in various ways, between "home" and "guests"
and if some "guest" blocks the network, at most it won't work for the "guests" who try to register after...