[Snort-sigs] DHCP Attack

Frank Knobbe frank at ...1978...
Thu Aug 19 21:04:23 EDT 2004

On Thu, 2004-08-19 at 14:30, Nick Hatch wrote:
> Where do you have your Snort sensor for this rule? There are quite a few 
> tools to find Rogue DHCP servers, but our problem has been finding a 
> graceful solution to mitigate the amount of hardware needed to watch 30 
> subnets.

How about setting up a script on a box whose segment is monitored by
Snort. That script can fire a dummy "whos-my-dhcp-server-daddy"
broadcast query packet to port 67 and see what machines
respond (server:67 to client:68... iirc). That way you don't need to
monitor each collision domain, only your broadcast domains.

In essence, you're baiting the rogue DHCP server with fake DHCP queries


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040819/edb4fef0/attachment.sig>

More information about the Snort-sigs mailing list