DHCP Server Attack

This morning users started to get IP Address conflicts on the network.  I immediatley thought I had a rogue DHCP server on the network, but I did not.  In the DHCP manager I kept seeing "Bad Address" for many IP Addresses.  Well, I imported today's log file into excel and figured out that 2 MAC addresses on my network were being assigned all of the addressed therefore causing the issue.  I found the two offending computers, they were Apple MACS.

Anyone ever see this happen or know of some Apple virus that is supposed to hit today? It is basically a denial of service attack if you think about it, but from the inside.

Any help/answers would be appreciated.
LVL 1
bvexpertAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strungCommented:
As far as I know, there are NO Mac viruses.
0
strungCommented:
On the Macs, go into the System Preferences (under the Apple Menu) and go to the Sharing Preferences Pane. Make sure Internet Sharing is unchecked. If this is checked, the Mac may act as a DHCP server.
0
bvexpertAuthor Commented:
Let me rephrase....The MACS would not stop leasing unleased addresses from the Windows DHCP server and each address they "leased" came up as bad address.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

strungCommented:
Don't know why that is happening. Did you consider giving the Mac static IP addresses on the same subnet as your DHCP server but out of the range of the server?
0
strungCommented:
P.S. What software version are the Mac running? Check by dragging down the Apple menu to "About this Mac".
0
strungCommented:
Is the OS software on the Macs completely up to date?

See for instance:

http://secunia.com/advisories/10295/
0
stuknhawaiiCommented:
I have had this happen with a Cisco Aironet 1100 series, and it also caused all computers to believe there was an IP conflict with each and everyone of them. It was really weird. Updated the IOS to fix the problem. Not same as here (MAC's) but though it was interesting !!!!
0
bvexpertAuthor Commented:
I definitely do not think it is the same thing that is referenced at secunia.  I am going to have the MAC users trigger an update and then let them back on.  

Who knows.
0
smudgalCommented:
This is a common DHCP DOS (Denial of Service) attack. I keep chaning my MAC address and DHCP will keep assigning me new IP addresses, (can be done via script/ batch file)

DHCP assign IP based on the MAC, if a request comes from same MAC for renewal of IP DHCP will assign that machine the same IP address it already had.

HTH
0
bvexpertAuthor Commented:
I already know that it is a DHCP Denial of Service issue. My question is how did it get on my MACS and how do I get it off and how do identify what it is. There are NO known viruses for MAC OS X.
0
strungCommented:
I am not convinced it is a DOS. It may be a bug in the Mac implementation of DHCP, or an error in your DHCP server that PC's can tolerate but Macs can't. I will see if I can research this. In the meantime, here is one link:

http://lists.sans.org/pipermail/unisog/2007-January/027056.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bvexpertAuthor Commented:
I have to tell you, that was awesome. The story on Annoyances.org from Aug. 2006 was dead on.  We did actually have a TZ180 on our network in the same exact fashion as that guy. Very cool. Thanks!!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.