[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Tool: grab all dhcp leases, ala DOS?

To: Allan West <allan@cookie.org>
Subject: Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
From: sage@richfox.org
Date: Fri, 24 Aug 2007 12:23:51 -0400 (EDT)
cc: sage-members@sage.org
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;h=X-Originating-IP:Date:From:X-X-Sender:Reply-To:To:cc:Subject:In-Reply-To:Message-ID:References:MIME-Version:Content-Type;s=default; d=richfox.org;b=GebpRccpTEWPiAWQA/egiVeypZLXbLItuHkGXGFyllqUCO9bkj9VmySFEFNwq3tlHG5/kIp45mguY8nlIo3IZW0myVWXLO3r+pDx4H6SwfmjSH0ychhcIPsxokniBawLmaDb7tmVh7ruMycxgmYLRetA9iSFUjLYkaFjfjTQodU=;
In-Reply-To: <46CEF21E.6050801@cookie.org>
References: <Pine.OSX.4.64.0708241027100.1930@powerbook-localdomain.local><46CEF21E.6050801@cookie.org>
Reply-To: sage@richfox.org
Sender: owner-sage-members@usenix.org

Hi,

The organization this was involved with had a rogue DHCP server running on 
a machine that also introduced a network loop with a nat. We were asked to 
assist the network group in tracking and or eliminating the problem. This 
happens to us from time to time, however we have no access whatsoever to 
the orginization's switching infrastructure and can not directly modify, 
or even inspect, the infrastructure configuration. We can only make 
suggestions. We can however directly interact with end user machines over 
the network, with the blessings of the network group to the end that it 
will help make the problems go away.

Although there is the ability to implement layer 2 filtering on the 
organization's switches, perhaps the interfaces to the equipment don't 
provide the granularity to do so on a per-MAC basis, the members of the 
network group that were involved either didn't realize it could be done, 
the members of the network group that were present during this issue don't 
have access to the interfaces necessary, or perhaps those particular 
individuals simply lack the technical skill to implement such 
modifications. (I don't know the answer to that question--it wasn't done 
in any case.)
Furthermore I have reason to believe based on some of the comments that 
were made to me during the course of this episode, that the layer 2 filter 
is misconfigured such that it does not function as expected. According the 
what they told me, that due to policy, this device should not have been 
able to communicate on the network at all. Pointing out this contradiction 
(the device was not registered, the device was handing out DHCP addresses 
left and right) was pointless at the time, since it was clearly able to 
talk on the network in this capacity. Finally, a recommendation to simply 
unplug the various branches of the network to isolate the branch that the 
system was on fell on deaf ears until other members of the network group 
showed up to assist, and came up with that idea on their own.

The network loop, although destructive, was not introducing nearly the 
same problems to users as the rogue DHCP server. It was sending out 
leases which caused end user machines to change subnets and redirect 
their traffic away from the organization gateway through the rogue 
system.

So one first action that we could do to reduce the impact of the situation 
would be to slurp up all of the available "bad" leases that we could get 
since we could determine what subnet the rogue DHCP server wanted 
everyone to communicate on. This is not a subnet that the organization 
uses under normal circumstances so it was quite easy to differentiate the 
bad leases from the legitimate leases even though a fair number of both 
were passing through the loop.
That would at least keep DHCP server at bay (and end users would still be 
functional) while the network group came up with a plan of action for 
dealing with that loop.

This is why I was thinking about a tool like this. It's not a replacement 
for a good network admin. I just can't think of too many other ways we 
(who can't even look at the switch configs) could actively deal with this 
kind of a problem without resorting to such techniques. Although, I'm 
interested in other techniques I might be able to employ without needing 
access to the switching infrastructure.
If you think that employing a tool like this in these circumstances is a 
poor course of action, I'm interested in alternatives. I couldn't 
think of too many other ways that I could actively assist within the role 
that I had/have.

Of course, however, with a tool like this in hand, there is that coffee 
bar/Wireless Internet cafe that gave me that bad Mocha Latte a couple 
weeks back, maybe I'll go pay 'em a visit...

Thanks,
Rich.

On Fri, 24 Aug 2007, Allan West wrote:

> sage@richfox.org wrote:
>> Hi,
>> 
>> A while ago I heard about a tool, perhaps proprietary, that would allow a 
>> single system to obtain many, many, leases from a DHCP server. Does anyone 
>> know of any open source tools that might provide this functionality 
>> (preferably with the ability to accept or reject IP leases based on the IP 
>> subnet)? I googled and googled but I couldn't separate the noise from the 
>> signal in the results...
>> 
>> Thanks,
>> Rich.
>
> I'd be curious to know why you want to DOS one or more subnets.
>
> It wouldn't work on any of my subnets, since machines have to be registered 
> to get an address from our DHCP server. Most DHCP servers will ping the IP 
> before handing out an address to a requester, so you'd have to impersonate 
> multiple MAC addresses and hold all of the received IPs in use with virtual 
> interfaces. It seems like an interesting technical challenge, but I'm not 
> seeing an obvious use for it.
>

--

Follow-Ups:
- Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
  - From: Brad Knowles <brad@shub-internet.org>

References:
- [SAGE] Tool: grab all dhcp leases, ala DOS?
  - From: sage@richfox.org
- Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
  - From: Allan West <allan@cookie.org>

Prev by Date: Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
Next by Date: Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
Prev by thread: Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
Next by thread: Re: [SAGE] Tool: grab all dhcp leases, ala DOS?
Index(es):
- Date
- Thread