Security Incidents mailing list archives
Re: A question of intent / DHCP poison attack?
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 6 Feb 2001 23:24:04 -0700
On Tue, 6 Feb 2001, Conor Crowley wrote:
After speaking with her manager, we decided there was probably no malicious intent.
Doesn't look great to be changing your mind later. (You mentioned stepping on toes; politics are obviosuly an issue there, as at most places.)
After mulling this over for a day, I just can't get over the host name.
Pretty weak evidence. She might be a fan of 80's hair-metal bands.
I've never heard of a "DHCP poison" attack, although I have read about the theory.
Some DHCP attacks do exist. There have been overflows in dhcpd. There have been problems with DHCP clients. DHCP servers hand out DNS servers, router IP addresses, WINS servers, and other interesting addresses that could be fruitful to lie about for an attacker.
start a forensic investigation based solely on evidence that could have been
Probably all the evidence you need to decide would be in the dhcp packets. If you're worried about it, turn it back on for a sec, and get a dhcp lease while sniffing out the packets. Take a look at the packet trace, or send it to the list. If there are any games going on, they will show up there. Although, I have to say... if her idea of a subtle attack is leaving a malicious DHCP server going that breaks that subnet, while she goes off on vacation... then you've got some pretty dumb inside attackers. (Not that don't exist... but she'd really be asking for it..) Ryan
Current thread:
- Crazy port 111 scans Reeves, Mike (Feb 05)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: Crazy port 111 scans hostmaster (Feb 06)
- DNS server crashed Jason Lewis (Feb 06)
- Re: DNS server crashed Michael Boman (Feb 06)
- Re: DNS server crashed Phil Brutsche (Feb 06)
- A question of intent / DHCP poison attack? Conor Crowley (Feb 06)
- Re: A question of intent / DHCP poison attack? Ryan Russell (Feb 07)
- Re: A question of intent / DHCP poison attack? Valdis Kletnieks (Feb 07)
- Re: DNS server crashed Greg A. Woods (Feb 07)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)
- Re: DNS server crashed Jason Lewis (Feb 07)
- Re: DNS server crashed karthik krishnamurthy (Feb 06)
- Re: DNS server crashed Andrei MURESAN (Feb 07)
- Re: DNS server crashed Max Gribov (Feb 07)
- Re: DNS server crashed Bryan Bradsby (Feb 10)