Security Incidents mailing list archives
A question of intent / DHCP poison attack?
From: Conor Crowley <ccrowley () CONORCROWLEY COM>
Date: Tue, 6 Feb 2001 20:51:34 -0800
I would like to solicit advice on the following: Yesterday I was asked to assist in troubleshooting an odd intermittent network problem. After some investigation I discovered a rogue DHCP server. The port was immediately locked out and all was well on the ether again. While I was sniffing for this, even before I confirmed the host in question was acting as a DHCP server, the host name immediately caught my eye. It was called "poison"... We then physically traced the host to a remote corner of this campus. The system owner, a contractor, is apparently on vacation, but I can quite clearly see on the screen that someone had been playing with dhcpd. The girl is a technical trainer and her manager says she was working on developing a new sys-admin course. Obviously she should not have put a DHCP server on a production network, but given what she was working on, it could have been a "legitimate'" (even if embarrassing) mistake. After speaking with her manager, we decided there was probably no malicious intent. After mulling this over for a day, I just can't get over the host name. I've never heard of a "DHCP poison" attack, although I have read about the theory. The word "poison" is however often used together with ARP and DNS to describe similar kinds of attacks. Since DHCP can specify not only the IP address, it also gives the IP router & name servers...and would therefore facilitate the same kind of man-in-the-middle attacks except that it is better suited for the intranet. If I wait until after I interview her, I risk losing evidence....but if start a forensic investigation based solely on evidence that could have been a legitimate mistake, I risk stepping on a lot of toes and potentially wasting a lot of time - if thats what it turns out to be. I suppose my question is simply this: Has anyone seen this kind of insider attack? (Any other advice would be much appreciated too!!) ..Conor
Current thread:
- Crazy port 111 scans Reeves, Mike (Feb 05)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: Crazy port 111 scans hostmaster (Feb 06)
- DNS server crashed Jason Lewis (Feb 06)
- Re: DNS server crashed Michael Boman (Feb 06)
- Re: DNS server crashed Phil Brutsche (Feb 06)
- A question of intent / DHCP poison attack? Conor Crowley (Feb 06)
- Re: A question of intent / DHCP poison attack? Ryan Russell (Feb 07)
- Re: A question of intent / DHCP poison attack? Valdis Kletnieks (Feb 07)
- Re: DNS server crashed Greg A. Woods (Feb 07)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)
- Re: DNS server crashed Jason Lewis (Feb 07)
- Re: DNS server crashed karthik krishnamurthy (Feb 06)
- Re: DNS server crashed Andrei MURESAN (Feb 07)
- Re: DNS server crashed Max Gribov (Feb 07)