[Snort-sigs] DHCP Attack
frank at ...1978...
Thu Aug 19 21:04:23 EDT 2004
On Thu, 2004-08-19 at 14:30, Nick Hatch wrote:
> Where do you have your Snort sensor for this rule? There are quite a few
> tools to find Rogue DHCP servers, but our problem has been finding a
> graceful solution to mitigate the amount of hardware needed to watch 30
How about setting up a script on a box whose segment is monitored by
Snort. That script can fire a dummy "whos-my-dhcp-server-daddy"
broadcast query packet to 255.255.255.255 port 67 and see what machines
respond (server:67 to client:68... iirc). That way you don't need to
monitor each collision domain, only your broadcast domains.
In essence, you're baiting the rogue DHCP server with fake DHCP queries
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs