Re: Bogus DHCP server in the network....

["2" <mcoleman () uniontown com>]

This sounds strikingly familiar...

You may not want to jump right away at thinking this problem is caused
intentionally, because this sounds like a situation that I was involved in
recently.  My day job involves installation and maintenance of various
Firewall Appliances in the Pittsburgh area, part of which is covered by
Adelphia.  I have some experience with the Cable Modems and the DSL modems
with Firewalls.  The most common firewall I have been installing in recent
months has been the Watchguard Firebox II.  When installed in a cablemodem
environment using the Watchguard "drop in" configuration (all IP addresses
are the same on all interfaces, and the Firebox appears to be 'invisible' to
all of the equipment and users on the customer's network), the firebox took
it upon itself to start serving ALL requests for addresses on the
cablemodem, and we all know that placing a snifffer on a cablemodem reveals
that all broadcasts are visible to all members of that segment.  (The cable
modem is layer 2 only).  In any case, I "accidentally" took out the ENTIRE
segment by installing this Firewall.  This was invisible to me, as my
customer's network continued to run fine.  I only became aware of the
problem when the cable company took down our cablemodem remotely quite some
time later in an attempt to find out if we were the culprit, and of course
we were.  I was unaware that the Firewall was going to do this task, and
that was combined with the fact that this was my first cablemodem install (I
know better now, and DSL around my area proves to have the same
shortcomings).  Also, you mentioned that you had a clue that it might be
Linux based with NAT (which is really IP Masquerading, only ONE address on
the public side), the Watchguard product runs on a Linux kernel, and has IP
Masquerading as a typical installation option.  Also, the Watchguard Firebox
will usually show no services running during a port scan because it has what
I like to call  a "penalty box" where if you scan the network, the Firebox
detects this and places that address in a list that blocks all activity
to/from that address for a specified period of time (usually 1 hour I
believe).  This gives the illusion that there are no public services when
scanned, when there might actually be several.

If you have the MAC address, I believe you can track which cablemodem is
causing the problem, and from there contact that customer and see what
hardware they have frontending the cablemodem.

If you need more details on this just toss me an email or call me.  If you
are in the Pittsburgh area, maybe I can even help you out.  I got to know a
few techies at Adelphia recently.  :)

-Mark Coleman
-Tripwire Network Solutions
mcoleman () uniontown com
724-437-5940 x7485

----- Original Message -----
From: TUDOR PANAITESCU <tpanaitescu () usa net>
To: <firewall-wizards () nfr net>
Sent: Sunday, October 03, 1999 7:38 AM
Subject: Bogus DHCP server in the network....


> Hello fellow wizards,
>
> Here's the picture. I am a client of Adelphia PowerLink CableTV. They use
DHCP
> for giving IP addresses. In the last weeks a bogus DHCP server showed up
into
> the network giving addresses in 192.168.244.128/25. The guy is using
aliasing
> on his Ethernet interface, he has an address aquired from the ISP in the
ISP's
> range and he configured his interface with 192.168.244.129 too. I have his
> MAC. He gives DNS services. The system the hacker uses is totally
protected,
> no ports are "visible" to allow to try to do something to his system (can
syn
> flood be a solution?). Some time ago the hacker provided forwarding also
but
> now he's not forwarding anymore anoying lots of people in the net as they
> don't have access to the INTERNET. I believe it is a UNIX box, most likely
> LINUX with NAT. Now here comes the question: is anything there we can do
to
> block this guy ?
>
> Any answer will be greately appreciated. I will sumarize also for
archiving
> purposes.
>
> TIA & best regards,
> Tudor
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1