[Snort-sigs] DHCP Attack

Kenneth G. Arnold bkarnold at ...1280...
Thu Aug 19 12:52:08 EDT 2004


We have our sensor in the same vlan as our dhcp server. Our Cisco core 
router is also programmed to pass all DHCP requests to a central 
server.  The snort port is set to "see" all the traffic in that vlan.  We 
are able to "see" traffic from the various vlans (we have many vlans also) 
as it either passes to a different vlan or to the internet.  We can't "see" 
traffic that stays within a vlan, unless it is the vlan in which snort is 
located.  The easy part is snort "seeing" the packets.  The hard part is 
trying to figure out where the rogue dhcp server is actually located.
Ken

At 02:30 PM 8/19/2004, Nick Hatch wrote:
>Where do you have your Snort sensor for this rule? There are quite a few 
>tools to find Rogue DHCP servers, but our problem has been finding a 
>graceful solution to mitigate the amount of hardware needed to watch 30 
>subnets.
>
>(Sorry... this is getting slightly off-topic) Is there some way to monitor 
>several subnets from a single sensor? Our Cisco core router is programmed 
>to pass all DHCP requests to a central server. Anyone know if there is 
>something similar that can be done for all DHCP traffic?
>
>Thanks -- this is one our largest concerns for our network come fall. (Not 
>a memorable date for most Snort users -- but for those of us using Snort 
>in an educational environment, it's a huge event to prepare for.)
>
>-Nick
>
>Kenneth G. Arnold wrote:
>
>>We have found the following rule to be very effective in spotting rogue
>>DHCP servers on our campus.
>>
>>#
>># DHCP Servers
>>#
>>alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
>>Campus"; sid:1000001;)
>>
>>Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
>>servers in your network.
>>
>>Kenneth Arnold
>>System Administrator
>>Christian Brothers University
>>
>>On Thu, 19 Aug 2004 arif.jatmoko at ...2741... wrote:
>>
>>
>>
>>>Hi list,
>>>
>>>I have experienced problem during last two days with kind of DHCP attack.
>>>There were more than one DHCP server available on the network using private
>>>IP address (192.168.x.x) while our DHCP using public ip address. Every DHCP
>>>client request served by those rogues DHCP. Can we detect this kind of
>>>attack ?
>>>I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
>>>knew that there are tools like dhcploc.exe bundled with Win2k Resource Kit
>>>or dhcp_probe available at
>>>http://www.net.princeton.edu/software/dhcp_probe/.
>>>
>>>PS. Our DHCP server using Win2K with active directory enabled, while a
>>>rogues DHCP server using Win2K on VMWare (other PCs).
>>>
>>>Thanks,
>>>Arif Jatmoko
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>>>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>>>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>>>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>
>>
>>-------------------------------------------------------
>>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
>>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
>>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
>>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
>--
>ResTek, Residential Technology Services
>http://restek.wwu.edu, x2946


Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333





More information about the Snort-sigs mailing list