Honeypots mailing list archives
Honeynet in a dhcp network?
From: "Compton, Rich" <RCompton () chartercom com>
Date: Thu, 3 Apr 2003 16:52:51 -0600
When a new dhcp client comes online, the device will perform a broadcast arp for the dhcp server. Will arpd identify this arp and then take the source MAC in to account? If so, then it looks like we just have to block traffic from the dhcp server to get this to work. Now, the dhcp server will attempt to ping the address that it is going to offer (to make sure that is it valid). To find the MAC of this IP it will perform an arp. If arpd is modified to ignore arp from this source MAC (the dhcp server) then we have taken care of this. Ok, so the ping will fail b/c it won't be able to find the MAC to send the ping to. Now the dhcp server will send out the offer to the dhcp client. The client will do an arp request to make sure that no one has that IP. Arpd has sniffed source MAC from the original broadcast arp (maybe??) sent by the dhcp client so it knows not to respond. Now the honeypot has dynamically shrunk by one IP based on DHCP traffic. Thoughts? -Rich Compton -----Original Message----- From: Wim Mees [mailto:Wim.Mees () vision rma ac be] Sent: Tuesday, April 01, 2003 1:43 AM To: Lance Spitzner Cc: honeypots () securityfocus com Subject: Re: results of the first honeyd challenge (dynamic honeynet?) A better solution would be to write a patch for arpd so that you can give arpd a dhcp scope as a parameter and that it 1. at startup leases 75% of the number of addresses in this scope from the dhcp server 2. monitors the number of leases provided by the dhcp server from this scope to "real" clients and starts (re)leasing addresses when the percentage drops below 70% or rises above 80%. In this way you cooperate with the address space manager and avoid conflicts. Wim
Current thread:
- Honeynet in a dhcp network? Compton, Rich (Apr 03)