[Snort-sigs] DHCP Attack

arif.jatmoko at ...2741... arif.jatmoko at ...2741...
Wed Aug 18 21:15:01 EDT 2004



Thanks a bunch !!
I never thought this simple rule will working well.

Thanks again ..
Arif Jamoko

|+-----------------------------+------------------------------------------|
||   "Kenneth G. Arnold"       |                                          |
||   <bkarnold at ...1280...>        |           To:                            |
||                             |   arif.jatmoko at ...2741...          |
||   08/19/2004 09:29          |           cc:                            |
||                             |   snort-sigs at lists.sourceforge.net       |
||                             |           Subject:        Re:            |
||                             |   [Snort-sigs] DHCP Attack               |
||                             |                                          |
|+-----------------------------+------------------------------------------|






We have found the following rule to be very effective in spotting rogue
DHCP servers on our campus.

#
# DHCP Servers
#
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
Campus"; sid:1000001;)

Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
servers in your network.

Kenneth Arnold
System Administrator
Christian Brothers University

On Thu, 19 Aug 2004 arif.jatmoko at ...2741... wrote:

>
>
> Hi list,
>
> I have experienced problem during last two days with kind of DHCP attack.
> There were more than one DHCP server available on the network using
private
> IP address (192.168.x.x) while our DHCP using public ip address. Every
DHCP
> client request served by those rogues DHCP. Can we detect this kind of
> attack ?
> I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack.
> knew that there are tools like dhcploc.exe bundled with Win2k Resource
Kit
> or dhcp_probe available at
> http://www.net.princeton.edu/software/dhcp_probe/.
>
> PS. Our DHCP server using Win2K with active directory enabled, while
> rogues DHCP server using Win2K on VMWare (other PCs).
>
> Thanks,
> Arif Jatmoko
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________







More information about the Snort-sigs mailing list