Impact
A Dynamic Host Configuration Protocol (DHCP) starvation attack is a Denial of Service (DoS) attack that exhausts all available IP addresses on a drone’s DHCP server by generating a large number of packets and disguising them as legitimate connections after an attacker is able to access the drone’s internal network.
If this vulnerability is exploited, all devices that attempt to connect to the drone’s internal network after the attacker's device is connected are denied access to the internal network. In other words, a drone owner won’t be able to connect to the drone network after the attack. Through this vulnerability, the attacker can forcibly deny the owner access to the drone’s services.
Summary
This vulnerability is caused by the DHCP provided by Wi-Fi–based commercial drones. Since DHCP does not provide mutual authentication, if an attacker sends a large number of packets that manipulate the DISCOVER packet trying to connect to the drone’s DHCP server, the DHCP server runs out of available IP addresses by mistaking malformed packets for legitimate requests.
By exploiting this vulnerability, an attacker can send a large number of manipulated DHCP connection packets to the drone’s DHCP server, and the drone’s DHCP server would then allocate assignable IP addresses to fake devices. As a result, the IP address pool that can be assigned by the drone’s DHCP server will be exhausted, and even if a legitimate device requests a connection to the drone’s DHCP server, the device would not be assigned an IP address. Hence, the drone denies connections from legitimate devices, and the services provided by the drone are similarly denied.
This vulnerability must be preceded by an attacker connecting to the drone network, using attacks such as Wi-Fi password cracking.
Analysis
A DHCP starvation attack targets the DHCP server that exhausts all IP addresses that can be assigned from the server by manipulating the DISCOVER message. DHCP in Wi-Fi–based drones allocates IP addresses based on MAC addresses. However, DHCP does not provide a mutual authentication process to determine whether the connecting MAC address is the legitimate MAC address of the device. Therefore, if an attacker sends a large number of DHCP DISCOVER packets containing fake MAC addresses to the drone, the drone exhausts all available IP addresses by mistaking the manipulated packets as legitimate requests. Consequently, the drone does not have an IP address to assign to a device attempting a legitimate connection after this attack. The following figure shows the DHCP connection process.

Fig 1. DHCP connection process
A DHCP connection process begins with the client sending a DHCP DISCOVER packet to a drone’s DHCP server to request an assignable IP address. The DHCP server delivers the assignable IP address to the client in an OFFER packet, and the client sends a REQUEST packet, including the content that the corresponding address will be used for, to the DHCP server to use the IP address suggested by the DHCP server. Finally, the DHCP server allocates the IP address to the client by delivering the ACK packet based on the REQUEST packet received from the client.
In this process, if a malicious attacker penetrates the drone’s internal network using attack techniques such as password cracking and continuously sends manipulated DISCOVER packets to the drone, the drone continuously sends corresponding OFFER packets. Accordingly, if a malicious attacker uses an attack technology such as password cracking to break into the drone's internal network and continuously delivers the manipulated DISCOVER packet to the drone, the drone continuously transmits the corresponding OFFER packet. A vulnerability thereby exhausts all allocated IP addresses in the drone.
Based on the conceptual analysis results of this vulnerability, we used DHCPig to demonstrate how this vulnerability can be exploited. DHCPig is an open-source tool that manipulates and attacks DHCP connection packets using Scapy, the Python-based library. We used this tool to analyze the DHCP connection process for the Parrot Bebop 2 drone, which relied on Wi-Fi. We tried a DHCP starvation attack using the DHCPig tool, as shown in the following figure.

Fig 2. Example of DHCP starvation attack results using DHCPig tool
The above figure displays a DHCP starvation attack result using the DHCPig tool. Importantly, here we must verify whether this tool has successfully attempted the DHCP starvation attack, by analysing packets. Therefore, we analyse those packets which correspond to the DHCP connection process using Wireshark. An example of the analysis results of the DHCP connection process is shown in the following figure.

Fig 3. Example of DHCP connection process analysis results using Wireshark
As shown in the above figure, as a part of analysing the packets corresponding to the DHCP connection process using Wireshark, we analyse the DISCOVER packet (which is the beginning of the DHCP connection process) and the ACK packet (which is the end of the connection process), which are sent and received in sequence. Moreover, the OFFER packet with the drone’s IP address is received, where the DHCP Server Identifier field indicates the IP address of the DHCP server. Based on these analysis results, the experimental results of the attempted DHCP starvation attack are shown in the following figure.

Fig 4. Experimental results of DHCP starvation attack (Left: before attack; Right: after attack)
As shown in the above figure, before the DHCP starvation attack, a user device and a drone are successfully connected, with a video output being transferred from the drone thereafter. However, after the DHCP starvation attack, the connection to the drone is denied even if the user device attempts such a connection. In order to intuitively outline these attack results, the IP address of the internal network of the terminal connected to the drone is shown in the following figure, based on the Wi-Fi information of the drone.

Fig 5. Internal network IP address of the device connected to the drone (Left: before attack; Right: after attack)
As shown in above figure, before the DHCP starvation attack, the internal network IP address of the device connected to the drone is 192.168.42.98. This means that the IP address bandwidth of the drone is successfully allocated. However, when a user device attempts to connect to the drone’s internal network after a DHCP starvation attack, a warning message – “Couldn’t get IP address” – is displayed. Thereafter, even if the user device attempts a legitimate connection, the connection to the drone’s internal network is rejected.
Through this experiment, we demonstrate the successful results of the DHCP starvation attack on the Parrot Bebop 2 drone.
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr
Jiin Jeong/south korea/ddd0444@cu.ac.kr
Impact
A Dynamic Host Configuration Protocol (DHCP) starvation attack is a Denial of Service (DoS) attack that exhausts all available IP addresses on a drone’s DHCP server by generating a large number of packets and disguising them as legitimate connections after an attacker is able to access the drone’s internal network.
If this vulnerability is exploited, all devices that attempt to connect to the drone’s internal network after the attacker's device is connected are denied access to the internal network. In other words, a drone owner won’t be able to connect to the drone network after the attack. Through this vulnerability, the attacker can forcibly deny the owner access to the drone’s services.
Summary
This vulnerability is caused by the DHCP provided by Wi-Fi–based commercial drones. Since DHCP does not provide mutual authentication, if an attacker sends a large number of packets that manipulate the DISCOVER packet trying to connect to the drone’s DHCP server, the DHCP server runs out of available IP addresses by mistaking malformed packets for legitimate requests.
By exploiting this vulnerability, an attacker can send a large number of manipulated DHCP connection packets to the drone’s DHCP server, and the drone’s DHCP server would then allocate assignable IP addresses to fake devices. As a result, the IP address pool that can be assigned by the drone’s DHCP server will be exhausted, and even if a legitimate device requests a connection to the drone’s DHCP server, the device would not be assigned an IP address. Hence, the drone denies connections from legitimate devices, and the services provided by the drone are similarly denied.
This vulnerability must be preceded by an attacker connecting to the drone network, using attacks such as Wi-Fi password cracking.
Analysis
A DHCP starvation attack targets the DHCP server that exhausts all IP addresses that can be assigned from the server by manipulating the DISCOVER message. DHCP in Wi-Fi–based drones allocates IP addresses based on MAC addresses. However, DHCP does not provide a mutual authentication process to determine whether the connecting MAC address is the legitimate MAC address of the device. Therefore, if an attacker sends a large number of DHCP DISCOVER packets containing fake MAC addresses to the drone, the drone exhausts all available IP addresses by mistaking the manipulated packets as legitimate requests. Consequently, the drone does not have an IP address to assign to a device attempting a legitimate connection after this attack. The following figure shows the DHCP connection process.
Fig 1. DHCP connection process
A DHCP connection process begins with the client sending a DHCP DISCOVER packet to a drone’s DHCP server to request an assignable IP address. The DHCP server delivers the assignable IP address to the client in an OFFER packet, and the client sends a REQUEST packet, including the content that the corresponding address will be used for, to the DHCP server to use the IP address suggested by the DHCP server. Finally, the DHCP server allocates the IP address to the client by delivering the ACK packet based on the REQUEST packet received from the client.
In this process, if a malicious attacker penetrates the drone’s internal network using attack techniques such as password cracking and continuously sends manipulated DISCOVER packets to the drone, the drone continuously sends corresponding OFFER packets. Accordingly, if a malicious attacker uses an attack technology such as password cracking to break into the drone's internal network and continuously delivers the manipulated DISCOVER packet to the drone, the drone continuously transmits the corresponding OFFER packet. A vulnerability thereby exhausts all allocated IP addresses in the drone.
Based on the conceptual analysis results of this vulnerability, we used DHCPig to demonstrate how this vulnerability can be exploited. DHCPig is an open-source tool that manipulates and attacks DHCP connection packets using Scapy, the Python-based library. We used this tool to analyze the DHCP connection process for the Parrot Bebop 2 drone, which relied on Wi-Fi. We tried a DHCP starvation attack using the DHCPig tool, as shown in the following figure.
Fig 2. Example of DHCP starvation attack results using DHCPig tool
The above figure displays a DHCP starvation attack result using the DHCPig tool. Importantly, here we must verify whether this tool has successfully attempted the DHCP starvation attack, by analysing packets. Therefore, we analyse those packets which correspond to the DHCP connection process using Wireshark. An example of the analysis results of the DHCP connection process is shown in the following figure.
Fig 3. Example of DHCP connection process analysis results using Wireshark
As shown in the above figure, as a part of analysing the packets corresponding to the DHCP connection process using Wireshark, we analyse the DISCOVER packet (which is the beginning of the DHCP connection process) and the ACK packet (which is the end of the connection process), which are sent and received in sequence. Moreover, the OFFER packet with the drone’s IP address is received, where the DHCP Server Identifier field indicates the IP address of the DHCP server. Based on these analysis results, the experimental results of the attempted DHCP starvation attack are shown in the following figure.
Fig 4. Experimental results of DHCP starvation attack (Left: before attack; Right: after attack)
As shown in the above figure, before the DHCP starvation attack, a user device and a drone are successfully connected, with a video output being transferred from the drone thereafter. However, after the DHCP starvation attack, the connection to the drone is denied even if the user device attempts such a connection. In order to intuitively outline these attack results, the IP address of the internal network of the terminal connected to the drone is shown in the following figure, based on the Wi-Fi information of the drone.
Fig 5. Internal network IP address of the device connected to the drone (Left: before attack; Right: after attack)
As shown in above figure, before the DHCP starvation attack, the internal network IP address of the device connected to the drone is 192.168.42.98. This means that the IP address bandwidth of the drone is successfully allocated. However, when a user device attempts to connect to the drone’s internal network after a DHCP starvation attack, a warning message – “Couldn’t get IP address” – is displayed. Thereafter, even if the user device attempts a legitimate connection, the connection to the drone’s internal network is rejected.
Through this experiment, we demonstrate the successful results of the DHCP starvation attack on the Parrot Bebop 2 drone.
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Wontae Jung/south korea/dnjsxo4354@mokpo.ac.kr
Junkwon Lee/south korea/kwonl57@mokpo.ac.kr
Jiin Jeong/south korea/ddd0444@cu.ac.kr