DHCP Server Attack
This morning users started to get IP Address conflicts on the network. I immediatley thought I had a rogue DHCP server on the network, but I did not. In the DHCP manager I kept seeing "Bad Address" for many IP Addresses. Well, I imported today's log file into excel and figured out that 2 MAC addresses on my network were being assigned all of the addressed therefore causing the issue. I found the two offending computers, they were Apple MACS.
Anyone ever see this happen or know of some Apple virus that is supposed to hit today? It is basically a denial of service attack if you think about it, but from the inside.
Any help/answers would be appreciated.
Anyone ever see this happen or know of some Apple virus that is supposed to hit today? It is basically a denial of service attack if you think about it, but from the inside.
Any help/answers would be appreciated.
strung
As far as I know, there are NO Mac viruses.
On the Macs, go into the System Preferences (under the Apple Menu) and go to the Sharing Preferences Pane. Make sure Internet Sharing is unchecked. If this is checked, the Mac may act as a DHCP server.
ASKER
Let me rephrase....The MACS would not stop leasing unleased addresses from the Windows DHCP server and each address they "leased" came up as bad address.
Don't know why that is happening. Did you consider giving the Mac static IP addresses on the same subnet as your DHCP server but out of the range of the server?
P.S. What software version are the Mac running? Check by dragging down the Apple menu to "About this Mac".
Is the OS software on the Macs completely up to date?
See for instance:
http://secunia.com/advisories/10295/
See for instance:
http://secunia.com/advisories/10295/
I have had this happen with a Cisco Aironet 1100 series, and it also caused all computers to believe there was an IP conflict with each and everyone of them. It was really weird. Updated the IOS to fix the problem. Not same as here (MAC's) but though it was interesting !!!!
ASKER
I definitely do not think it is the same thing that is referenced at secunia. I am going to have the MAC users trigger an update and then let them back on.
Who knows.
Who knows.
This is a common DHCP DOS (Denial of Service) attack. I keep chaning my MAC address and DHCP will keep assigning me new IP addresses, (can be done via script/ batch file)
DHCP assign IP based on the MAC, if a request comes from same MAC for renewal of IP DHCP will assign that machine the same IP address it already had.
HTH
DHCP assign IP based on the MAC, if a request comes from same MAC for renewal of IP DHCP will assign that machine the same IP address it already had.
HTH
ASKER
I already know that it is a DHCP Denial of Service issue. My question is how did it get on my MACS and how do I get it off and how do identify what it is. There are NO known viruses for MAC OS X.
I am not convinced it is a DOS. It may be a bug in the Mac implementation of DHCP, or an error in your DHCP server that PC's can tolerate but Macs can't. I will see if I can research this. In the meantime, here is one link:
http://lists.sans.org/pipermail/unisog/2007-January/027056.html
http://lists.sans.org/pipermail/unisog/2007-January/027056.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have to tell you, that was awesome. The story on Annoyances.org from Aug. 2006 was dead on. We did actually have a TZ180 on our network in the same exact fashion as that guy. Very cool. Thanks!!!!