?
Solved

DHCP Server Attack

Posted on 2008-01-30
13
Medium Priority
?
1,322 Views
Last Modified: 2010-04-21
This morning users started to get IP Address conflicts on the network.  I immediatley thought I had a rogue DHCP server on the network, but I did not.  In the DHCP manager I kept seeing "Bad Address" for many IP Addresses.  Well, I imported today's log file into excel and figured out that 2 MAC addresses on my network were being assigned all of the addressed therefore causing the issue.  I found the two offending computers, they were Apple MACS.

Anyone ever see this happen or know of some Apple virus that is supposed to hit today? It is basically a denial of service attack if you think about it, but from the inside.

Any help/answers would be appreciated.
0
Comment
Question by:bvexpert
13 Comments
 
LVL 53

Expert Comment

by:strung
ID: 20777989
As far as I know, there are NO Mac viruses.
0
 
LVL 53

Expert Comment

by:strung
ID: 20778023
On the Macs, go into the System Preferences (under the Apple Menu) and go to the Sharing Preferences Pane. Make sure Internet Sharing is unchecked. If this is checked, the Mac may act as a DHCP server.
0
 
LVL 1

Author Comment

by:bvexpert
ID: 20778073
Let me rephrase....The MACS would not stop leasing unleased addresses from the Windows DHCP server and each address they "leased" came up as bad address.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
LVL 53

Expert Comment

by:strung
ID: 20778185
Don't know why that is happening. Did you consider giving the Mac static IP addresses on the same subnet as your DHCP server but out of the range of the server?
0
 
LVL 53

Expert Comment

by:strung
ID: 20778225
P.S. What software version are the Mac running? Check by dragging down the Apple menu to "About this Mac".
0
 
LVL 53

Expert Comment

by:strung
ID: 20778262
Is the OS software on the Macs completely up to date?

See for instance:

http://secunia.com/advisories/10295/
0
 
LVL 7

Expert Comment

by:stuknhawaii
ID: 20778343
I have had this happen with a Cisco Aironet 1100 series, and it also caused all computers to believe there was an IP conflict with each and everyone of them. It was really weird. Updated the IOS to fix the problem. Not same as here (MAC's) but though it was interesting !!!!
0
 
LVL 1

Author Comment

by:bvexpert
ID: 20779696
I definitely do not think it is the same thing that is referenced at secunia.  I am going to have the MAC users trigger an update and then let them back on.  

Who knows.
0
 
LVL 1

Expert Comment

by:smudgal
ID: 20785159
This is a common DHCP DOS (Denial of Service) attack. I keep chaning my MAC address and DHCP will keep assigning me new IP addresses, (can be done via script/ batch file)

DHCP assign IP based on the MAC, if a request comes from same MAC for renewal of IP DHCP will assign that machine the same IP address it already had.

HTH
0
 
LVL 1

Author Comment

by:bvexpert
ID: 20785976
I already know that it is a DHCP Denial of Service issue. My question is how did it get on my MACS and how do I get it off and how do identify what it is. There are NO known viruses for MAC OS X.
0
 
LVL 53

Expert Comment

by:strung
ID: 20786115
I am not convinced it is a DOS. It may be a bug in the Mac implementation of DHCP, or an error in your DHCP server that PC's can tolerate but Macs can't. I will see if I can research this. In the meantime, here is one link:

http://lists.sans.org/pipermail/unisog/2007-January/027056.html
0
 
LVL 53

Accepted Solution

by:
strung earned 2000 total points
ID: 20786157
0
 
LVL 1

Author Closing Comment

by:bvexpert
ID: 31623450
I have to tell you, that was awesome. The story on Annoyances.org from Aug. 2006 was dead on.  We did actually have a TZ180 on our network in the same exact fashion as that guy. Very cool. Thanks!!!!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question