Re: A question of intent / DHCP poison attack?

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 06 Feb 2001 20:51:34 PST, Conor Crowley <ccrowley () CONORCROWLEY COM>  said:
> After speaking with her manager, we decided there was probably no malicious
> intent. After mulling this over for a day, I just can't get over the host
> name. I've never heard of a "DHCP poison" attack, although I have read about

Well.. let's see.. You identified the host name as "poison"
before you actually found the machine.  This means that it
is probably listed under that name in your DNS.. Soo..

1) Your DNS got hacked and the person put in their vanity
hostname.  Not too likely, even most skriptz k1dd13s are
smarter than that.

2) You forgot to set 'recursion no' in your authoritative
DNS servers (and/or didn't restrict queries, and/or use
the same server for authoritative requests and recursion),
and a skriptz kiddy  DNS-cache poisoned the hostname
into there.

3) Somebody authorized put it in there.  Perhaps the office
was the campus Poison Control center, or the owner of the
machine liked 80's hair bands. ;)

4) It wasn't in the DNS, it was in your WINS server.  If
so, you have my condolences. ;)

> I suppose my question is simply this: Has anyone seen this kind of insider
> attack?

First time I saw this attack was on a SunOS 3.2 system
in 1985 or so.  Seen it used a few times since.

On the other hand, our campus has at least one bozo a
month that starts one up accidentally, usually a Windows
or Linux box.

I'd regard it as a simple kloo-failure unless you have
*direct* evidence there was malicious intent.

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech