[Snort-sigs] DHCP Attack
Kenneth G. Arnold
bkarnold at ...1280...
Wed Aug 18 19:30:02 EDT 2004
We have found the following rule to be very effective in spotting rogue
DHCP servers on our campus.
# DHCP Servers
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
servers in your network.
Christian Brothers University
On Thu, 19 Aug 2004 arif.jatmoko at ...2741... wrote:
> Hi list,
> I have experienced problem during last two days with kind of DHCP attack.
> There were more than one DHCP server available on the network using private
> IP address (192.168.x.x) while our DHCP using public ip address. Every DHCP
> client request served by those rogues DHCP. Can we detect this kind of
> attack ?
> I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
> knew that there are tools like dhcploc.exe bundled with Win2k Resource Kit
> or dhcp_probe available at
> PS. Our DHCP server using Win2K with active directory enabled, while a
> rogues DHCP server using Win2K on VMWare (other PCs).
> Arif Jatmoko
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs