Vulnerability Development mailing list archives
Re: swbell DSL bug ?
From: Scott.Miller () VANDENBERG AF MIL (Miller Scott Contr 30CS/FTI)
Date: Mon, 8 May 2000 10:11:42 -0700
It's not even necessary to change MAC addresses to get more DHCP leases. The DHCP protocol provides a client identifier field to identify each lease, and most DHCP client implementations use the MAC address as the identifier, but there's nothing that says you have to. I wrote a short test program that contacts our Microsoft DHCP server and requests leases with arbitrary client identifiers, and the server happily hands out all the addresses you want. It also serves as an effective denial of service if you fill up the entire address pool. The specification even allows you to make the requests over an already configured interface, saving you the trouble of constructing broadcast datagrams and listening for replies in promiscuous mode. The Network TeleSystems DHCP server used by my DSL provider, however, doesn't seem to respond to such requests. If you're running Solaris, obtaining more DHCP addresses is trivial - on my Solaris 7 box at home, 'ifconfig le0:1 dhcp' creates a new subinterface and obtains a DHCP lease for it. Haven't checked to see what it uses for a client identifier, though. Bottom line, it's a feature, not a bug. As far as accounting, the lease is still recorded in the DHCP logs. The only real security issue here is in your ISP not restricting this if they generally charge for multiple addresses. Here's a potentially more interesting issue: my ISP (which shall remain nameless) uses a Redback Systems SMS1000 customer aggregation router, which restricts traffic to each subscriber by watching as DHCP leases are granted and maintaining a table of active addresses per interface. Unfortunately, I don't have one of these boxes at home to play with, but I'd be really interested in seeing how immune the SMS1000 is to spoofing - i.e., is it possible to send a DHCP discover from the customer side, and at the same time forge a response from the outside and trick the SMS1000 into adding the address to its security table? And is the mechanism really stateful, requiring the full DHCP negotiation, or does it just watch for a DHCPACK? Scott -----Original Message----- From: Ryan Sweat [mailto:batrox () SWBELL NET] Sent: Sunday, May 07, 2000 12:24 PM To: VULN-DEV () SECURITYFOCUS COM Subject: swbell DSL bug ? Southwester Bell is a big provider of dsl access in some parts of the US. Dhcp provides an IP address and the lease expires in about 72 hours. They claim the IP cannot be changed, however when playing around last night, I found if you install another ethernet card, and switch the cable to the new card, it happily gives you another IP address. The dhcp server must rely on mac address when providing a lease for an ip. This could pose many problems. How can accounting be kept when a user can change his ip whenever he likes? I have more testing to do, but I do not see why you couldnt install a few nic cards and get ip address for each one, which swbell would like to charge you much more money for. I am looking into a way to change the mac address in windows. I know it can be done in linux through ifconfig. Maybe somone has experience in this ?? batrox () swbell net <mailto:batrox () swbell net>
Current thread:
- Re: swbell DSL bug ? Jeffrey Karpenko (May 08)
- Re: swbell DSL bug ? J . Phillips (May 08)
- <Possible follow-ups>
- Re: swbell DSL bug ? Jeffrey Karpenko (May 08)
- Re: swbell DSL bug ? Miller Scott Contr 30CS/FTI (May 08)
- Re: swbell DSL bug ? vassago (May 08)
- Re: swbell DSL bug ? Myxt (May 08)