Rogue DHCP Server Viruses
David W. Hankins
David_Hankins at isc.org
Wed Jan 28 18:25:26 UTC 2009
On Wed, Jan 28, 2009 at 09:52:45AM -0500, Denis Laventure wrote:
> We had this problem here too. Use Wireshark on the same subnet to find the
> IP of the workstation that's sending those wrong ack. We had 2 of those
> infected machine on our network. I don't remember if we found the virus, but
> I think we just formatted the PC.
I don't think this is the OP's issue, he's got fixed-addresses
overlapping his dynamic ranges, but I still want to amplify this a bit
because it seems to be a growing trend...
A rogue DHCP-server-virus like this doesn't even need to succeed in
hijacking the client's lease. A Windows box will DHCPINFORM later in
running, and will use the domain name servers list provided there.
This is a double-whammy;
1) The rogue server installs itself as the recursive nameserver for
your other clients. It is now the man in any man in the middle
attacks (http-injected viruses, banking, porn adverts, any of it).
2) The rogue server can (it is not known if it does) also supply the
WPAD option, or install itself as the client's default router and
either way work to suppress the client from receiving security
patches, thus increasing the duration of infections.
DHCP services must be secured to thwart this threat. Anything less
is a stopgap. Right now that means ethernet level packet filtering,
to suppress DHCP 'server' answers from 'client' ports.
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 194 bytes
Desc: not available
More information about the dhcp-users