A question of intent / DHCP poison attack?

[Conor Crowley <ccrowley () CONORCROWLEY COM>]

I would like to solicit advice on the following:

Yesterday I was asked to assist in troubleshooting an odd intermittent
network problem. After some investigation I discovered a rogue DHCP server.
The port was immediately locked out and all was well on the ether again.
While I was sniffing for this, even before I confirmed the host in question
was acting as a DHCP server, the host name immediately caught my eye. It was
called "poison"...

We then physically traced the host to a remote corner of this campus. The
system owner, a contractor, is apparently on vacation, but I can quite
clearly see on the screen that someone had been playing with dhcpd. The girl
is a technical trainer and her manager says she was working on developing a
new sys-admin course. Obviously she should not have put a DHCP server on a
production network, but given what she was working on, it could have been a
"legitimate'" (even if embarrassing) mistake.

After speaking with her manager, we decided there was probably no malicious
intent. After mulling this over for a day, I just can't get over the host
name. I've never heard of a "DHCP poison" attack, although I have read about
the theory. The word "poison" is however often used together with ARP and
DNS to describe similar kinds of attacks. Since DHCP can specify not only
the IP address, it also gives the IP router & name servers...and would
therefore facilitate the same kind of man-in-the-middle attacks except that
it is better suited for the intranet.

If I wait until after I interview her, I risk losing evidence....but if
start a forensic investigation based solely on evidence that could have been
a legitimate mistake, I risk stepping on a lot of toes and potentially
wasting a lot of time  - if thats what it turns out to be.

I suppose my question is simply this: Has anyone seen this kind of insider
attack?

(Any other advice would be much appreciated too!!)

..Conor