Bugtraq mailing list archives

Re: BOOTP/DHCP security

From: benedikt () devnull ruhr de (Benedikt Stockebrand)
Date: Wed, 27 Nov 1996 21:37:58 +0100


[ Concerning rogue BOOTP/DHCP servers ]

I assume you've got the resources to have a machine spend some cycles
on checking for these attacks.

(1) Make this machine check for bogus MACs in its ARP cache mapped to
the servers IP address.  This forces the attacker to use a network
card with a configurable MAC and usually stops attacks from machines
belonging to the network (unless you've got this kind of card
installed).

(2) Make it run its interface in promiscuous mode and check all
bootp/dhcp/tftp/rarp requests.  If there are lots of multiple replies
to the same request this is a strong indication that an attack takes
place.  This scanner could probably be implemented most easily by
hacking up tcpdump or similar, but using an unmodified tcpdump (with
appropriate options) and a separate filter program should already do
the trick on a moderately loaded network.


    Ben

--
Ben(edikt)? Stockebrand    Runaway ping.de Admin---Never Ever Trust Old Friends
My name and email address are not to be added to any list used for advertising
purposes.  Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.

Current thread:

Re: BOOTP/DHCP security itudps (Nov 27)
- <Possible follow-ups>
- Re: BOOTP/DHCP security itudps (Nov 27)
- Re: BOOTP/DHCP security Benedikt Stockebrand (Nov 27)
  - Re: BOOTP/DHCP security itudps (Nov 27)
  - CIAC Bulletin H-08: lpr Buffer Overrun Vulnerability David Crawford (Nov 27)
  - Re: BOOTP/DHCP security Valdis.Kletnieks () vt edu (Nov 28)
  - Irix: more suid fun/exploits Yuri Volobuev (Nov 28)
  - Re: BOOTP/DHCP security Alan Cox (Nov 28)