Firewall Wizards mailing list archives
Re: Bogus DHCP server in the network....
From: "2" <mcoleman () uniontown com>
Date: Mon, 4 Oct 1999 20:29:42 -0400
This sounds strikingly familiar... You may not want to jump right away at thinking this problem is caused intentionally, because this sounds like a situation that I was involved in recently. My day job involves installation and maintenance of various Firewall Appliances in the Pittsburgh area, part of which is covered by Adelphia. I have some experience with the Cable Modems and the DSL modems with Firewalls. The most common firewall I have been installing in recent months has been the Watchguard Firebox II. When installed in a cablemodem environment using the Watchguard "drop in" configuration (all IP addresses are the same on all interfaces, and the Firebox appears to be 'invisible' to all of the equipment and users on the customer's network), the firebox took it upon itself to start serving ALL requests for addresses on the cablemodem, and we all know that placing a snifffer on a cablemodem reveals that all broadcasts are visible to all members of that segment. (The cable modem is layer 2 only). In any case, I "accidentally" took out the ENTIRE segment by installing this Firewall. This was invisible to me, as my customer's network continued to run fine. I only became aware of the problem when the cable company took down our cablemodem remotely quite some time later in an attempt to find out if we were the culprit, and of course we were. I was unaware that the Firewall was going to do this task, and that was combined with the fact that this was my first cablemodem install (I know better now, and DSL around my area proves to have the same shortcomings). Also, you mentioned that you had a clue that it might be Linux based with NAT (which is really IP Masquerading, only ONE address on the public side), the Watchguard product runs on a Linux kernel, and has IP Masquerading as a typical installation option. Also, the Watchguard Firebox will usually show no services running during a port scan because it has what I like to call a "penalty box" where if you scan the network, the Firebox detects this and places that address in a list that blocks all activity to/from that address for a specified period of time (usually 1 hour I believe). This gives the illusion that there are no public services when scanned, when there might actually be several. If you have the MAC address, I believe you can track which cablemodem is causing the problem, and from there contact that customer and see what hardware they have frontending the cablemodem. If you need more details on this just toss me an email or call me. If you are in the Pittsburgh area, maybe I can even help you out. I got to know a few techies at Adelphia recently. :) -Mark Coleman -Tripwire Network Solutions mcoleman () uniontown com 724-437-5940 x7485 ----- Original Message ----- From: TUDOR PANAITESCU <tpanaitescu () usa net> To: <firewall-wizards () nfr net> Sent: Sunday, October 03, 1999 7:38 AM Subject: Bogus DHCP server in the network....
Hello fellow wizards, Here's the picture. I am a client of Adelphia PowerLink CableTV. They use
DHCP
for giving IP addresses. In the last weeks a bogus DHCP server showed up
into
the network giving addresses in 192.168.244.128/25. The guy is using
aliasing
on his Ethernet interface, he has an address aquired from the ISP in the
ISP's
range and he configured his interface with 192.168.244.129 too. I have his MAC. He gives DNS services. The system the hacker uses is totally
protected,
no ports are "visible" to allow to try to do something to his system (can
syn
flood be a solution?). Some time ago the hacker provided forwarding also
but
now he's not forwarding anymore anoying lots of people in the net as they don't have access to the INTERNET. I believe it is a UNIX box, most likely LINUX with NAT. Now here comes the question: is anything there we can do
to
block this guy ? Any answer will be greately appreciated. I will sumarize also for
archiving
purposes. TIA & best regards, Tudor ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Bogus DHCP server in the network.... TUDOR PANAITESCU (Oct 04)
- Re: Bogus DHCP server in the network.... 2 (Oct 05)
- Re: Bogus DHCP server in the network.... Joseph S D Yao (Oct 05)
- RE: Bogus DHCP server in the network.... Baribault, Gary (Oct 05)
- <Possible follow-ups>
- Re: Bogus DHCP server in the network.... Ryan Russell (Oct 05)
- RE: Bogus DHCP server in the network.... sean . kelly (Oct 05)
- RE: Bogus DHCP server in the network.... Henry Sieff (Oct 05)