Security Incidents mailing list archives
Re: A question of intent / DHCP poison attack?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 7 Feb 2001 01:57:45 -0500
On Tue, 06 Feb 2001 20:51:34 PST, Conor Crowley <ccrowley () CONORCROWLEY COM> said:
After speaking with her manager, we decided there was probably no malicious intent. After mulling this over for a day, I just can't get over the host name. I've never heard of a "DHCP poison" attack, although I have read about
Well.. let's see.. You identified the host name as "poison" before you actually found the machine. This means that it is probably listed under that name in your DNS.. Soo.. 1) Your DNS got hacked and the person put in their vanity hostname. Not too likely, even most skriptz k1dd13s are smarter than that. 2) You forgot to set 'recursion no' in your authoritative DNS servers (and/or didn't restrict queries, and/or use the same server for authoritative requests and recursion), and a skriptz kiddy DNS-cache poisoned the hostname into there. 3) Somebody authorized put it in there. Perhaps the office was the campus Poison Control center, or the owner of the machine liked 80's hair bands. ;) 4) It wasn't in the DNS, it was in your WINS server. If so, you have my condolences. ;)
I suppose my question is simply this: Has anyone seen this kind of insider attack?
First time I saw this attack was on a SunOS 3.2 system in 1985 or so. Seen it used a few times since. On the other hand, our campus has at least one bozo a month that starts one up accidentally, usually a Windows or Linux box. I'd regard it as a simple kloo-failure unless you have *direct* evidence there was malicious intent. Valdis Kletnieks Operating Systems Analyst Virginia Tech
Current thread:
- Crazy port 111 scans Reeves, Mike (Feb 05)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: Crazy port 111 scans hostmaster (Feb 06)
- DNS server crashed Jason Lewis (Feb 06)
- Re: DNS server crashed Michael Boman (Feb 06)
- Re: DNS server crashed Phil Brutsche (Feb 06)
- A question of intent / DHCP poison attack? Conor Crowley (Feb 06)
- Re: A question of intent / DHCP poison attack? Ryan Russell (Feb 07)
- Re: A question of intent / DHCP poison attack? Valdis Kletnieks (Feb 07)
- Re: DNS server crashed Greg A. Woods (Feb 07)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)
- Re: DNS server crashed Jason Lewis (Feb 07)
- Re: DNS server crashed karthik krishnamurthy (Feb 06)
- Re: DNS server crashed Andrei MURESAN (Feb 07)
- Re: DNS server crashed Max Gribov (Feb 07)
- Re: DNS server crashed Bryan Bradsby (Feb 10)
- <Possible follow-ups>
- Re: Crazy port 111 scans Tyrannis Von Nettesheim (Feb 06)