Honeynet in a dhcp network?

["Compton, Rich" <RCompton () chartercom com>]

When a new dhcp client comes online, the device will perform a broadcast arp
for the dhcp server.  Will arpd identify this arp and then take the source
MAC in to account?  If so, then it looks like we just have to block traffic
from the dhcp server to get this to work.
Now, the dhcp server will attempt to ping the address that it is going to
offer (to make sure that is it valid).  To find the MAC of this IP it will
perform an arp.  If arpd is modified to ignore arp from this source MAC (the
dhcp server) then we have taken care of this.  Ok, so the ping will fail b/c
it won't be able to find the MAC to send the ping to.  Now the dhcp server
will send out the offer to the dhcp client.  The client will do an arp
request to make sure that no one has that IP.  Arpd has sniffed source MAC
from the original broadcast arp (maybe??) sent by the dhcp client so it
knows not to respond.  Now the honeypot has dynamically shrunk by one IP
based on DHCP traffic.

Thoughts?

-Rich Compton

-----Original Message-----
From: Wim Mees [mailto:Wim.Mees () vision rma ac be]
Sent: Tuesday, April 01, 2003 1:43 AM
To: Lance Spitzner
Cc: honeypots () securityfocus com
Subject: Re: results of the first honeyd challenge (dynamic honeynet?)

A better solution would be to write a patch for arpd so that you can give
arpd a dhcp scope as a parameter and that it
1. at startup leases 75% of the number of addresses in this scope from the
dhcp server
2. monitors the number of leases provided by the dhcp server from this scope
to "real" clients and starts (re)leasing addresses when the percentage drops
below 70% or rises above 80%.

In this way you cooperate with the address space manager and avoid
conflicts.

Wim