Re: swbell DSL bug ?

[Scott.Miller () VANDENBERG AF MIL (Miller Scott Contr 30CS/FTI)]

It's not even necessary to change MAC addresses to get more DHCP leases.
The DHCP protocol provides a client identifier field to identify each lease,
and most DHCP client implementations use the MAC address as the identifier,
but there's nothing that says you have to.  I wrote a short test program
that contacts our Microsoft DHCP server and requests leases with arbitrary
client identifiers, and the server happily hands out all the addresses you
want.  It also serves as an effective denial of service if you fill up the
entire address pool.  The specification even allows you to make the requests
over an already configured interface, saving you the trouble of constructing
broadcast datagrams and listening for replies in promiscuous mode.  The
Network TeleSystems DHCP server used by my DSL provider, however, doesn't
seem to respond to such requests.

If you're running Solaris, obtaining more DHCP addresses is trivial - on my
Solaris 7 box at home, 'ifconfig le0:1 dhcp' creates a new subinterface and
obtains a DHCP lease for it.  Haven't checked to see what it uses for a
client identifier, though.

Bottom line, it's a feature, not a bug.  As far as accounting, the lease is
still recorded in the DHCP logs.  The only real security issue here is in
your ISP not restricting this if they generally charge for multiple
addresses.

Here's a potentially more interesting issue:  my ISP (which shall remain
nameless) uses a Redback Systems SMS1000 customer aggregation router,  which
restricts traffic to each subscriber by watching as DHCP leases are granted
and maintaining a table of active addresses per interface.  Unfortunately, I
don't have one of these boxes at home to play with, but I'd be really
interested in seeing how immune the SMS1000 is to spoofing - i.e., is it
possible to send a DHCP discover from the customer side, and at the same
time forge a response from the outside and trick the SMS1000 into adding the
address to its security table?  And is the mechanism really stateful,
requiring the full DHCP negotiation, or does it just watch for a DHCPACK?

Scott

-----Original Message-----
From: Ryan Sweat [mailto:batrox () SWBELL NET]
Sent: Sunday, May 07, 2000 12:24 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: swbell DSL bug ?

     Southwester Bell is a big provider of dsl access in some parts of the
US.  Dhcp provides an IP address and the lease expires in about 72 hours.
They claim the IP cannot be changed, however when playing around last night,
I found if you install another ethernet card, and switch the cable to the
new card, it happily gives you another IP address.  The dhcp server must
rely on mac address when providing a lease for an ip.  This could pose many
problems.  How can accounting be kept when a user can change his ip whenever
he likes?  I have more testing to do, but I do not see why you couldnt
install a few nic cards and get ip address for each one, which swbell would
like to charge you much more money for.  I am looking into a way to change
the mac address in windows. I know it can be done in linux through ifconfig.
Maybe somone has experience in this ??

batrox () swbell net <mailto:batrox () swbell net>