(I felt this message had enough operational relevance to post on this list. If
any feels otherwise, please let me know.)
After having experienced a rather malicious attack on our corporate network by
someone running a rogue DHCP server, I'm wondering if there's any way to
prevent this from happening again? The perpetrator basically managed to
renumber most of an entire subnet (into an entirely different IP block) of our
network, causing a major denail of service. I've read the RFC's and checked
all the network reference books I can find, and none of them indicate any way
to prevent this from happening again. Am I missing something here, or is it
time to start writing RFC's? Thanks in advance.
Nicholas Bastin wrote:
(I felt this message had enough operational relevance to post on this list. If
any feels otherwise, please let me know.)
After having experienced a rather malicious attack on our corporate network by
someone running a rogue DHCP server, I'm wondering if there's any way to
prevent this from happening again?
You don't specify whether this was a corporate network or a production
(e.g. cable) network. The short answer (especially if a corporate
network): get him fired, or worse. (I.e. take some sort of legal
action). If a public, network, such as a cable modem system, that'd be
fairly nasty...
The perpetrator basically managed to
renumber most of an entire subnet (into an entirely different IP block) of our
network, causing a major denail of service. I've read the RFC's and checked
all the network reference books I can find, and none of them indicate any way
to prevent this from happening again. Am I missing something here, or is it
time to start writing RFC's? Thanks in advance.
Well, the problem that comes up, is how does the workstation figure out
who to trust? The DHCP client basically knows nothing about the IP
addressing of the network (which is why it's asking a DHCP server). It's
not desirable to have it know anything, because that'd limit the ability
to have your DHCP client be portable. The best thing about DHCP is the
ability to plug into any LAN anywhere that supports DHCP, and be able to
operate.
There may well be some ways to authenticate a legitimate DHCP server
from an illegitimate one, but discussion of that is probably off-topic
for NANOG. I'd be happy to discuss the matter further off this list, or
on an appropriate list, however, and would like to hear more details of
the situation in your case.
Dan
-----BEGIN PGP SIGNED MESSAGE-----
After having experienced a rather malicious attack on our corporate network by
someone running a rogue DHCP server, I'm wondering if there's any way to
prevent this from happening again?
Ask your ethernet switch/bridge or cablemodem vendor for a method of
disabling non-ARP broadcasts from being received by client machines. You
can then trust your switches to direct such requests only to anything you
let receive broadcasts, which should only be trusted servers.
Cisco's IRB bridging has "subscriber-policy" which roughly approximates this
that I use for our DSL customers. I believe their higher-end switches can
take layer-2 access-lists, which could be made to work similarly.
Any protocol that relies on trusting the first server to reply to a
broadcast is similiarly vulnerable. I'm not sure theres a way to secure the
protocol itself if the client has zero knowledge of the network its on when
it starts up, which is the point of DHCP.
Note that disabling broadcasts may adversely affect some already-broken
protocols, such as WINS or SMB. This might only prevent shares off of
"client" machines from showing up in others' Network Neighborhood, but I
can't say that I've tested it.
Aaron Hopkins
aaron@cyberverse.com
Chief Technical Officer, Cyberverse Inc.
Our cable modems have the option of directional port filtering. When we
realized what a problem rogues could be, we very quickly filtered off
traffic from the customer PC with destination port 68.
Andrea.
WINS and SMB file sharing are not broadcast based. The name location
mechanism in Windows networking is broadcast based, if you don't use WINS.
WINS eliminates that need.
Eric
-----BEGIN PGP SIGNED MESSAGE-----
After having experienced a rather malicious attack on our corporate
network by