Vulnerability Development mailing list archives
Re: DHCP man in the middle attack
From: "Kurt Seifried" <bt () seifried org>
Date: Sun, 22 Sep 2002 19:06:09 -0600
Nice summary of well known problems, but:
Recommendations --------------- Deploy switches (not hubs) and ensure that mac spoofing is not allowed on
them. This helps how? Oh wait, it doesn't really. Unless you MAC lock ports to hosts, which is an administrative nightmare. Even if you do that an attacker can still spoof replies/etc/etc. Remember, you have to allow from 0.0.0.0 and whatnot.
Use the DHCP protocol monitor (snort IDS plug-in) to identify possible
rogue servers. You would need one on every single physical subnet which hosts DHCP clients, servers or relays (essentially your entire network). You would then need to make sure MAC address/IP spoofing doesn't take place, this is not only an administrative headache but would require one snort "installation" per subnet (could be one box with multiple interfaces, but still, on a largeish LAN this would be many many systems). Even then this is a very reactive solution, and does nothing to protect hosts (other then alerting you to a problem, with spoofing/etc/etc you still have a lot of work). DHCP is inherently insecure. About the only ways to "secure it" consist of VPN/Firewall Auth/CLient firewall configuration/etc. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- DHCP man in the middle attack root (Sep 22)
- Re: DHCP man in the middle attack Kurt Seifried (Sep 23)
- <Possible follow-ups>
- Re: DHCP man in the middle attack FX (Sep 23)
- Re: DHCP man in the middle attack FX (Sep 23)