Bugtraq mailing list archives
Re: BOOTP/DHCP security
From: benedikt () devnull ruhr de (Benedikt Stockebrand)
Date: Wed, 27 Nov 1996 21:37:58 +0100
[ Concerning rogue BOOTP/DHCP servers ] I assume you've got the resources to have a machine spend some cycles on checking for these attacks. (1) Make this machine check for bogus MACs in its ARP cache mapped to the servers IP address. This forces the attacker to use a network card with a configurable MAC and usually stops attacks from machines belonging to the network (unless you've got this kind of card installed). (2) Make it run its interface in promiscuous mode and check all bootp/dhcp/tftp/rarp requests. If there are lots of multiple replies to the same request this is a strong indication that an attack takes place. This scanner could probably be implemented most easily by hacking up tcpdump or similar, but using an unmodified tcpdump (with appropriate options) and a separate filter program should already do the trick on a moderately loaded network. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
Current thread:
- Re: BOOTP/DHCP security itudps (Nov 27)
- <Possible follow-ups>
- Re: BOOTP/DHCP security itudps (Nov 27)
- Re: BOOTP/DHCP security Benedikt Stockebrand (Nov 27)
- Re: BOOTP/DHCP security itudps (Nov 27)
- CIAC Bulletin H-08: lpr Buffer Overrun Vulnerability David Crawford (Nov 27)
- Re: BOOTP/DHCP security Valdis.Kletnieks () vt edu (Nov 28)
- Irix: more suid fun/exploits Yuri Volobuev (Nov 28)
- Re: BOOTP/DHCP security Alan Cox (Nov 28)