[Snort-sigs] DHCP Attack

Nick Hatch nick at ...2287...
Thu Aug 19 12:31:02 EDT 2004


Where do you have your Snort sensor for this rule? There are quite a few 
tools to find Rogue DHCP servers, but our problem has been finding a 
graceful solution to mitigate the amount of hardware needed to watch 30 
subnets.

(Sorry... this is getting slightly off-topic) Is there some way to 
monitor several subnets from a single sensor? Our Cisco core router is 
programmed to pass all DHCP requests to a central server. Anyone know if 
there is something similar that can be done for all DHCP traffic?

Thanks -- this is one our largest concerns for our network come fall. 
(Not a memorable date for most Snort users -- but for those of us using 
Snort in an educational environment, it's a huge event to prepare for.)

-Nick

Kenneth G. Arnold wrote:

>We have found the following rule to be very effective in spotting rogue
>DHCP servers on our campus.
>
>#
># DHCP Servers
>#
>alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
>Campus"; sid:1000001;)
>
>Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
>servers in your network.
>
>Kenneth Arnold
>System Administrator
>Christian Brothers University
>
>On Thu, 19 Aug 2004 arif.jatmoko at ...2741... wrote:
>
>  
>
>>Hi list,
>>
>>I have experienced problem during last two days with kind of DHCP attack.
>>There were more than one DHCP server available on the network using private
>>IP address (192.168.x.x) while our DHCP using public ip address. Every DHCP
>>client request served by those rogues DHCP. Can we detect this kind of
>>attack ?
>>I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
>>knew that there are tools like dhcploc.exe bundled with Win2k Resource Kit
>>or dhcp_probe available at
>>http://www.net.princeton.edu/software/dhcp_probe/.
>>
>>PS. Our DHCP server using Win2K with active directory enabled, while a
>>rogues DHCP server using Win2K on VMWare (other PCs).
>>
>>Thanks,
>>Arif Jatmoko
>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>    
>>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>


-- 
ResTek, Residential Technology Services
http://restek.wwu.edu, x2946





More information about the Snort-sigs mailing list