Anda di halaman 1dari 6

International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)

Web Site: Email:

Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 19

Abstract: Two of the most widely used protocols of the TCP
/ IP suit are HTTP (Hyper Text Transfer Protocol) and
DHCP (Dynamic Host Control Protocol). Both of them
operate in the client server environment. HTTP is widely used
protocol for web based communication and is used for
majority of the intranet & internet based applications. Where-
as DHCP is used for allocation and management of IP
addresses to the individual clients. In this paper we are trying
to mix the best of the both worlds and develop a new web
based mechanism which could be implemented in intranet
and internet environment.
The implementation of this proposal will provide mobility to
the user and at the same time enhance the security features
and facilitate the improved management and monitoring
mechanism of private IP allotment in a large organization.
The proposed mechanism is a typical application focused
upon the allotment and monitoring of Private IPs based
upon the typical biometric characteristics of an individual
user in combination with his unique identity which may be
guaranteed by a government based organization or a widely
trusted third party. Based upon the said implementation the
user is always allocated the same private IP address as he
moves across the geographical boundaries of the
organization across the country or even different countries.

Keywords: DHCP Spoofing, IP address Management,
Mobility & Security ,DHCP Attacks

For all computer based communication the source and
destination devices need to be properly identified as
sender and receiver by the use of proper identification
mechanism. One such mechanism is the IP addressing.
The IP addressing can be done both manually and
automatically using DHCP.
The IP addresses along with other network related
parameters such as subnet mask, default gateway, IP
address of the Primary and Secondary DNS Servers etc.
can be distributed automatically by using an application
layer protocol called as DHCP on the computer
communication network [9]. A DHCP enabled client
requests for an IP address from its local DHCP Server.
The user is assigned an IP address from the available pool
of pre-defined IP Addresses by the DHCP Server. The
allocated IPs are returned back to the pool when the user
leaves the network for reassigning to others.
The dynamic address assignment mechanism of DHCP
can be used for various hardware and software based
computing and communication devices[5]. The assigned
IP address will also change as the user reboots, changes
the hardware or establishes a new session. The probability
of getting the same IP address which was assigned
previously is very low.
Similarly when the user moves from one of its geographic
locations to another he may get a different IP address
from the DCHP server for that area. This frequent change
of IP address creates many problems for the user in
getting connected and accessing the network based
resources. Similarly if the user gets disconnected during a
downloading session then it may become difficult to
rescue the previous session since a new IP might be
assigned to the user.
It is also possible to freeze an IP address based upon
MAC address of the user device. MAC addresses are the
actual addresses for the network terminal host [3].
Therefore whenever such user sends a request for a new
IP address, his MAC address is searched from the table
and such a user is always facilitated by the assigned
dedicated IP address.
The concept works till the user continues to use the same
device. Once a user changes the device or if the user
moves out of the local network, it will not be possible for
the user to get the same IP.

Computers around the world are connected via IP
network. Each IP network has several interconnected
computers. In order to be connected and to communicate
with each other the systems need IP addresses. The IP
Addresses can be set up manually by the network
administrator or automatically assigned by using DHCP.
DHCP is a network protocol which helps the host
machine to get access on IP network. It is widely used
protocol which allows hosts on a TCP/IP network to
dynamically obtain basic configuration information like
IP address, subnet mask, default gateway, Primary and
Secondary DNS Server, etc. automatically from a DHCP
server. DHCP helps in avoiding the manual process of
configuring the necessary parameters on each system. The
Centralized Web Based Allocation and
Management Approach towards Private IP
Addressing for providing Mobility and Security

Alok Pandey
, Dr. Jatinderkumar R. Saini

Sr. Systems Manager, Department of Computer Science Engineering, Birla Institute of Technology Mesra,
J aipur Campus, Rajasthan, INDIA .

Director (I/C) & Associate Professor, Narmada College of Computer Application,
Bharuch, Gujarat , INDIA.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: Email:
Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 20

network admin does not need to go to each system and
configure the addresses manually.
DHCP server maintains a list of all computers connected
to the network using the IP addresses at a given time and
removes them from the list as the devices get
disconnected or move out of the network. It also manages
the issue of duplicate IP addresses which can cause
network conflicts. Dynamic Host Configuration Protocol
(DHCP) is an extension of the Bootstrap Protocol
(BOOTP) [1].
When a DHCP client boots up, it broadcasts a DHCP
discovery packet looking for DHCP servers. The available
DHCP servers on the network respond to this packet with
a DHCP offer packet. The client then chooses a server to
obtain TCP/IP configuration information like IP address,
subnet mask, default gateway etc. The configuration
information is allocated (leased) to the client for a short
period of time. The client must periodically renew its
lease in order to continue to use the configuration.
Unfortunately the base DHCP protocol does not include
any mechanism for authentication [2]. This weakness has
been exploited by hackers and other antisocial elements
for conducting various spurious activities by gaining
access to the network using various tricks classified as
DHCP spoofing attacks.
Using DHCP spoofing, an un-trusted client can flood a
network with DHCP messages. It is a type of attack on
DHCP server to obtain IP addresses using spoofed DHCP
messages. In DHCP spoofing the attacker attempts to fool
the server and obtain the IP address by using fake
messages to gain access.

A variety of attacks can be launched as mentioned below:
DHCP server spoofing where an un-authorized
DHCP servers provides false information to
Unauthorized clients gaining access to network based
Resource exhaustion attacks from malicious DHCP
Denial of services [6], [8], [10]
M.I.T.M. attacks of different forms [10]
Attacks on the DNS & other available servers [10]
Exhaustion of valid IP address [8]
Exhaustion of C.P.U. and network resources [8]
Spoofing of IP address of the other clients [11]
Spoofing of MAC addresses of clients [11] [13]
Since there is no privacy protection, an eavesdropper can
monitor and capture the information being exchanged on
the network [12]
As the client has no way to validate the identity of a
DHCP server, unauthorized DHCP servers can be
operated on networks, providing incorrect information to
DHCP clients. This can serve either as a denial-of-service
attack, preventing the client from gaining access to
network connectivity, or as a man-in-the-middle attack.
Because the DHCP server provides the DHCP client with
server IP addresses, such as the IP address of one or more
DNS servers [4], an attacker can convince a DHCP client
to do its DNS lookups through its own DNS server, and
can therefore provide its own answers to DNS queries
from the client.
This in turn allows the attacker to redirect network traffic
through itself, allowing it to eavesdrop on connections
between the client and network servers it contacts, or to
simply replace those network servers with its own.
Because the DHCP server has no secure mechanism for
authenticating the client, clients can gain unauthorized
access to IP addresses by presenting credentials, such as
client identifiers, that belong to other DHCP clients.
By presenting new credentials each time it asks for an
address, the client can consume all the available IP
addresses on a particular network link, preventing other
DHCP clients from getting services.

In a DHCP server spoofing attack an unauthorized
machine becomes a DHCP server on the network. The
attacker could start passing unauthorized DHCP based
information and gain valuable information from the
connected clients on the network. For example, a rogue
DHCP server could allocate default-gateway and DNS
addresses pointing to a compromised machine set up with
a sniffer to unsuspecting clients. The compromised
machine could take all information from clients, sniff it
and then forward the information on to the real default-
gateway. The information sniffed might include
usernames and passwords and other confidential,
financial data being exchanged. This is often referred to
as a man in the middle (MITM) attack.
DHCP server spoofing -- It gives a spoofed access to the
user to the hijacked DHCP server. The attack aims to
make attackers PC as a DHCP server and then access the
victims network. This can be very risky as the users
might loose valuable information because of a Rogue
server working in the place of the actual one. An attacker
can do lot more like copying the data, sending /
distributing of virus, sniffing of network, etc.
How DHCP Spoofing attack occurs?
This attack occurs when the leased time period of the
temporary IP expires. The system sends the DHCP
Discover packet and the attacker responds on the packet.
When the attacker responds to the query he can set
himself as the default gateway or DNS without the
knowledge of the user. This can be seen as a type of
traffic intercepting between the user and the actual
gateway. The attacker has a chance to flood the DHCP
server with DHCP offer packet causing a DoS type attack.
The IP address is pre-assigned by the attackers.

3.2 DHCP Exhaustion - This type of attack is carried out
by modifying the address service on DHCP servers. Under
this attack, the I.P. addresses are spoofed and a large
number of attacks are carried out with one process.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: Email:
Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 21

When the DHCP Discover message is broadcasted form a
system it also sends the MAC address with the packet
data. The attacker keeps changing the MAC address of
his system. By this the attacker uses up all the unallocated
IP addresses causing DHCP exhaustion from the assigned
pool. As a result the user machine fails to collect with the
genuine DHCP server and may be redirected to the
attackers server.
DHCP address exhaustion attack This attack focuses
on depleting the address pool on the DHCP server, thus
causing a denial of service attack. In a DHCPDISCOVER
message broadcast out from a client, there is a field called
chaddr which is the client hardware address or MAC
address. The chaddr field is set to the source MAC
address of the client by default.
If an attacker constantly keeps changing his MAC
address, he could keep requesting different addresses
from the DHCP pool and eventually deplete it.
Fortunately, port-security helps mitigate this attack.
However, if a client keeps the same MAC address but
simply changes the chaddr field to something unique on
every request, an attacker could just as well exhaust all
DHCP addresses in the pool without causing a port-
security violation. The pool could become depleted and
legitimate users may not be able to obtain address leases.

3.3 IP Address Hijacking Normally, when a client is
done with an address leased to it via DHCP, it sends a
DHCPRELEASE to the server to notify the server that it
can go ahead and add that IP address back into the pool
of available addresses. An attacker that has knowledge of
an authorized IP addressed leased through DHCP could
send a packet to the server with the DHCPRELEASE
field set to that authorized IP address. The attacker could
attempt to release that IP address and then take over the
IP address on the network. Or at-least, the attacker could
be disrupting network communications.
Hijacking the IP This is the later part when the DHCP
Discover and DHCP offer process ends. Here the user
machine sends DHCP Release message to the server to
tell the server that IP address is provided and the user
machine can access the network now. But the hijacker
here has the knowledge to capture DHCP Release packet
and exploit. He can then capture the IP and cause network

Different approaches have been adopted by different
researchers in this direction some of them are as
mentioned below :-
E-DHCP: Extended Dynamic Host Configuration Protocol
by Jacques Demerjiana et al [14]. In their paper the
authors point out the two basic reasons which justify the
need of a protocol that could manage the internet
addresses dynamically for the smooth functioning of
networks. Firstly the lack of internet addresses which
rules out the possibility of using static IP addresses and
secondly providing mobility of the equipments. As an
outcome DHCP is the centre of networks architecture.
They also point out one of the serious shortfalls of DHCP
protocol - protection against malicious Internet hosts,
because of which DHCP is vulnerable to various types of
security attacks as it lacks in the authentication
mechanism. Thus the intruder could also impersonate the
identity of the genuine user for different unwanted anti-
social activities.
The authors finally suggest a mechanism that makes use
of a symmetric public key encryption RSA, X.509 identity
certificates and attribute certificates. They also point out
the need for authentication of the DHCP server itself on
the network as an intruder can also impersonate as a
DHCP server and send erroneous information to any local
DHCP client and thus disrupt the working of the network
itself by passing false information to the clients.
Next Generation Automatic IP Configuration Deployment
Issues by Tomasz Mrugalski et al [15]. Their paper also
discusses the issues related to shortfalls of well defined
authentication / authorization of DCHP and recommend
possible solutions in the DHCPv6 protocol. The issues
related to implementation of FQDN and poisoning of
available DNS server entries for diverting the traffic to a
malicious host have also been discussed.
The authors highlight some of the ways like controlling
the policy updation, provision of access control
mechanisms, restricting the clients to update the DNS
server records, only administrators can do so, provision of
control of updation of DNS resource records and
provision for fail over to be made.
Secure DHCPv6 that uses RSA Authentication integrated
with Self-Certified Address by Zhiyang Su et al [16].
This paper also highlights some of the security
considerations for DHCP. The authors summarize some
of the possible solutions to security concerns like MAC
address to hardware binding typically in the switches at
the port level and several other authentication methods
like Configuration tokens, Delayed Authentication,
EDHCP, Certificate based authentication based upon
RSA, X.509 identity certificates, asymmetric keys and
PKI, etc
As can be seen that a lot of work has been done in terms
of improving the security aspects of DHCP but very little
attention has been paid the in direction of providing both
mobility and security to the user at the same time. Our
focus is upon providing faster and secure mechanisms
based upon simple yet effective security control
mechanism and at the same time providing mobility to
the end user or the device.
Some similar work has been done by Asjad Amin, et al
[17]--Designing a Hierarchical DHCP servers model to
automatically provide dedicated IP address anywhere in
the world with mobility
In our proposed scheme the following points will be

International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: Email:
Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 22

1. The focus is upon the implementation aspect rather
than designing of new protocol.
2. Our approach is confined to an organization having
multiple locations of presence which may be within the
same country or different countries.
3. The proposed work in being carried out in the Indian
context with reference to the government based unique
identification mechanism called AADHAR.
4. Our work is based upon the implementation of a web
based approach which works in the internet and
intranet environment
5. It is a combination of secure communication between
different databases which store user specific
information based upon biometric parameters of the

By securing and controlling the allotment of private IPs
we try to avoid scenarios where an already allocated
private IP on a network is used and exploited by an
unauthorized user / hacker for carrying out different
network based attacks based upon DHCP spoofing.

A new system is proposed in our research paper in which
each user will have a dedicated IP of his own with facility
to move anywhere in the organization wide network as
shown in fig.1.


Our approach is to strengthen the security and at the same
time make it more versatile and user friendly by
providing greater amounts of regulations [7]. We are
trying to ensure that a dedicated private IP is always
available for a specific user irrespective of his current
location. Although with the introduction of IPv6, the
numbers of IP addresses are not limited and problem of
limited IP addresses has been fairly resolved.
In the proposed model we suggest a distributed recording
and processing system for DHCP servers that may be
available on organization wide network which may span
to different locations across a city or a nation. The IP
address as assigned by a DHCP server remains allocated
to a specific user and remains till he deregisters for the
facility thus providing mobility and enhancing security.
It is proposed to mix the best of the two worlds of HTTP
and DHCP for the development of the proposed model
which would better regulate and provide more user
friendliness. The proposed web based mechanism could
also be implemented in intranet and internet
The suggested model would facilitate the registration
process of new users and assigning them a dedicated
private IP address. It would also take care of the already
registered existing users and provide them with their
already assigned fixed private IP address.
Each user is connected through the DHCP Server of the
local network of the organization. These local DHCP
Servers are in turn connected to different Sub Network
level DHCP servers of the same organization which may
be located at different locations in a city or a nation.
These Sub-Network Level DHCP Servers are in turn
connected to the main DHCP server of the organization.
The first step for any user is to get registered for a
dedicated IP address facility. Once a user is registered, he
is always provided with his IP address no matter which
network level the user is currently in or moves to. This is
achieved so by our distributed processing and
administering design.
The local level DHCP Server maintains the data of all the
registered users along with their allocated IP address,
MAC addresses, User Name, Password, Unique
identification of the user based upon the SSN No. or
AADHAR and Biometric finger scan of the user.
The same is replicated to other DHCP Servers at different
locations across the organization wide network which
may span across different locations in a city or different
cities in a country.
As the user attempts to log in the network at any one of
the local locations, the system asks for all unique
parameters as mentioned above.
It verifies and searches the same in its local database, if
found in its databases the user is granted the same IP
address as is recorded in the system.
If the details are not found in its local data bases the
query is passed to the next Sub Network level for
resolution. If found then the details are passed back to the
local network local database and recorded there for
further uses.
The IP is granted and the access time along with the
usage are recorded.
A copy of the user details is also sent to the main DHCP
Server at the Organizations top most level. If the user
details are found then they are cross verified and updated
if needed.
In case, if not then the user details are recorded here also.
This provides redundancy of operation in case of any
operational failures.
Now when the user moves to a different location of the
same organizations network which may be to a different
city he tries to log in the system. The system will once
again prompt for the user details.
The query is once again passed to different levels of
DHCP servers starting at the local then being passed to
the Sub Network level and finally at the top most network
level for resolution and updating of records.
The flow chart for the proposed model is as shown in fig 2

1. Roaming benefits for the IP address service provider
When a person travels to a different location he may
use the services of a different ISP. The local ISP can
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: Email:
Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 23

derive financial benefits for assigning the specific IP
address to the client by introducing some roaming
charges which could be mutually shared amongst the
various agencies involved in the process.

2. Identity verification - Each person can only get one IP
address so he must provide his National identity
number at the time of new IP address request. In case of
a large organization some special requests can be made.
Such organizations can be provided with a pool of
dedicated IP addresses for their employees.


Other Ways To Protect Against DHCP Spoofing
Some of the commonly suggested best practices in this
area are :-
1. For complete security do not use DHCP and
configure each TCP/IP host manually so as to avoid
someone exploiting the protocol. Many big enterprise
use dedicated network admin to configure the same.
2. For a DHCP attack the hijacker needs to gain access
to the network. If he is not able to get in to the
network then he cannot do anything. For doing so the
attacker will send DHCP offer packets to hijack the
client PC and then convert his own system into a
Rogue DHCP server which will capture the data and
traffic. So if the DHCP protocol is enabled on the
network then adequate precaution must be taken. The
IP information is refreshed within short interval of
time which can be captured by the hijacker.
3. Configure DHCP with proper admin control. It is
possible in DHCP to configure a separate group of
Administrator. This group has rights to make
changes and authorizes users to DHCP settings. This
is essential for large networks. Managing tight
account registration settings is essential.
4. Proper audit is also necessary to check the authorized
and unauthorized access to the network.

The proposed scheme will work in both intranet and
internet environment. It will provide mobility to the user
and at the same time enhance the security features and
facilitate the improved management and monitoring
mechanism of private IP allotment in a large
Based upon the said implementation the user is always
allocated the same private IP address as he moves across
the geographical boundaries of the organization across
the country or even different countries and enjoy several
benefits like less down time from server, obtaining SSL
Certificate based upon fixed IP addresses, Maintaining
sessions for uploading and downloading sessions.
By securing and controlling the allotment of private IPs,
we try to avoid scenarios where an already allocated
private IP on a network is used and exploited by an un-
authorized user / hacker for carrying out different
network based attacks based upon DHCP Spoofing. The
proposed mechanism is focused upon the allotment and
monitoring of Private IPs, based upon the typical
biometric characteristics of an individual users in
combination with guaranteed unique identification based
upon a government based identification mechanism like
AADHAR in the Indian context.

[1] R. Droms (October 1993) RFC 1541- Dynamic Host
Configuration Protocol Network Working Group
[2] Michael Patrick (January 2001). "RFC 3046 - DHCP
Relay Agent Information Option". Network Working
[3] Ling-Feng Chiang, Jiang-Whai Dai, A New Method
to Detect Abnormal IP Address on DHCP, Journal
of Networks, VOL. 4, NO.6, August 2009
[4] Ralph Droms (March 1997). "RFC 2131 - Dynamic
Host Configuration Protocol". Network Working
[5] R.Droms, Automated Configuration of TCP/IP with
DHCP, Journal of IEEE Internet Computing, Vol.3,
No.4, pp. 45-53,July 1999
[6] S. Thomson, Bellcore, T. Narten (December 1998)
RFC- 2462 - IPv6 Stateless Address Auto
configuration - Network Working Group
[7] Jenq-Haur Wang and Tzao-Lin Lee, Enhanced
Intranet Management in a DHCP-enabled
Environment, in Proc. 26 th Annual International
Computer Software and Applications
[8] R.Droms, W.Arbaugh (June 2001)- RFC- 3118 -
Authentication for DHCP Messages - Network
Working Group
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: Email:
Volume 3, Issue 3, May June 2014 ISSN 2278-6856

Volume 3, Issue 3 May June 2014 Page 24

[9] Brijesh Kadri Mohandas and Ramiro Liscano, IP
Address Configuration in VANET using Centralized
DHCP, in Proc. 33
IEEE conference on Local
Computer Networks LCN 2008, October. 2008, doi:
10.1109/ LCN. 2008. 4664252.
[10] R.Droms, J.Bound, B.Volz, T.Lemon, C.Perkins,
M.Carney (July 2003)- RFC - 3315 - Dynamic Host
Configuration Protocol for IPv6 (DHCPv6) -
Network Working Group.
[11] B. Patel,B. Aboba, S.Kelly, V.Gupta (January 2003)-
R.F.C. 3456 - Dynamic Host Configuration Protocol
(DHCPv4)-Configuration of IPsec Tunnel Mode
Network Working Group
[12] H. Schulzrinne (November 2006)- R.F.C. 4776 -
Dynamic Host Configuration Protocol (DHCPv4 and
DHCPv6) Option for Civic Addresses Configuration
Information- Network Working Group /html/rfc4776
[13] S.Cheshire, B.Aboba, E.Guttman (May 2005)
R.F.C. 3927- Dynamic Configuration of IPv4 Link-
Local Addresses - Network Working Group /html/rfc3927
[14] E-DHCP: Extended Dynamic Host Configuration
Protocol by Jacques Demerjiana and Ahmed
Serhrouchni Departement INFRES, Ecole Nationale
Supbieur Des Tdkcommunications, 46 Rue Barrault,
75013 Paris, France
[15] Next generation automatic IP configuration
deployment issues by Tomasz Mrugalsk, Krzysztof
Nowicki, and Krzyszt of Wnuk Gdansk University of
Technology, Gdansk, Poland & Intel Corp.
[16] Secure DHCPv6 that uses RSA Authentication
integrated with Self-Certified Address by Zhiyang Su
School of Electronics Engineering and Computer
Science, Peking University, Beijing, China and Hao Ma, Xiaojun Zhang,
Bei Zhang, Computer Center, Peking
UniversityBeijing, China,,,
[17] Designing a Hierarchical DHCP servers model to
automatically provide dedicated IP address anywhere
in the world with mobility by Asjad Amin, Haseeb
Ahmed, Abubakar Rafique, Muhammad Junaid
Nawaz, Muhammad Salahudin, Zulfiqar Ahmed -
Department of Telecommunication and Electronic
Engineering, The Islamia University of Bahawalpur,

Alok Pandey is Senior Systems manager and faculty
member at B.I.T. (MESRA), J aipur Campus. His
qualifications include B.E.(EEE), MBA and has
certifications MCSE, RHCE, CCNA, IBM Certified
Ecommerce Diploma in Cyber law. He has an industrial
working experience 17 years and teaching experience of
9 years in Data Communication and Computer Networks,
Information Security, E-Commerce, Systems
Management, ERP etc. He is also a member of CSI,
IAENG and ISOC. His research interests include
Computer Networks and Network Security

Dr. Jatinderkumar R. Saini is Ph.D. from Veer Narmad
South Gujarat University, Surat, Gujarat, India. He
secured first rank in all three years of MCA in college
and has been awarded gold medals for this. He is also a
recipient of silver medal for B.Sc. (Computer Science).
He is an IBM Certified Database Associate-DB2 as well
as IBM Certified Associate Developer-RAD. He has
presented several papers in international and national
conferences supported by agencies like IEEE, AICTE,
IETE, ISTE, INNS etc. One of his papers has also won
the Best Paper Award. He is the chairman of many
academic committees and a member of numerous national
and international professional bodies and scientific
research academies and organizations.