Re: DHCP man in the middle attack

["Kurt Seifried" <bt () seifried org>]

Nice summary of well known problems, but:

> Recommendations
> ---------------
> Deploy switches (not hubs) and ensure that mac spoofing is not allowed on
them.

This helps how? Oh wait, it doesn't really. Unless you MAC lock ports to
hosts, which is an administrative nightmare. Even if you do that an attacker
can still spoof replies/etc/etc. Remember, you have to allow from 0.0.0.0
and whatnot.

> Use the DHCP protocol monitor (snort IDS plug-in) to identify possible
rogue servers.

You would need one on every single physical subnet which hosts DHCP clients,
servers or relays (essentially your entire network). You would then need to
make sure MAC address/IP spoofing doesn't take place, this is not only an
administrative headache but would require one snort "installation" per
subnet (could be one box with multiple interfaces, but still, on a largeish
LAN this would be many many systems). Even then this is a very reactive
solution, and does nothing to protect hosts (other then alerting you to a
problem, with spoofing/etc/etc you still have a lot of work).

DHCP is inherently insecure. About the only ways to "secure it" consist of
VPN/Firewall Auth/CLient firewall configuration/etc.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/