Re: A question of intent / DHCP poison attack?

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Tue, 6 Feb 2001, Conor Crowley wrote:

> After speaking with her manager, we decided there was probably no malicious
> intent.

Doesn't look great to be changing your mind later.  (You mentioned
stepping on toes; politics are obviosuly an issue there, as at most
places.)

> After mulling this over for a day, I just can't get over the host
> name.

Pretty weak evidence.  She might be a fan of 80's hair-metal bands.

> I've never heard of a "DHCP poison" attack, although I have read about
> the theory.

Some DHCP attacks do exist.  There have been overflows in dhcpd.  There
have been problems with DHCP clients.  DHCP servers hand out DNS servers,
router IP addresses, WINS servers, and other interesting addresses that
could be fruitful to lie about for an attacker.

> start a forensic investigation based solely on evidence that could have been

Probably all the evidence you need to decide would be in the dhcp packets.
If you're worried about it, turn it back on for a sec, and get a dhcp
lease while sniffing out the packets.  Take a look at the packet trace, or
send it to the list.  If there are any games going on, they will show up
there.

Although, I have to say... if her idea of a subtle attack is leaving a
malicious DHCP server going that breaks that subnet, while she goes off on
vacation... then you've got some pretty dumb inside attackers.  (Not that
don't exist... but she'd really be asking for it..)

                                                        Ryan