[787] in resnet

home help back first fref pref prev next nref lref last post

Re: RESNET-L Digest - 5 Feb 2002 to 6 Feb 2002 (#2002-26)

daemon@ATHENA.MIT.EDU (Gary Flynn)
Thu Feb 7 09:15:49 2002

MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <3C628A8F.A5F94C5E@jmu.edu>
Date:         Thu, 7 Feb 2002 09:09:19 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Gary Flynn <flynngn@JMU.EDU>
To: RESNET-L@listserv.nd.edu

> From:    Randall Watanabe <randallw@HAWAII.EDU>
>
> Ran into a strange problem yesterday and I am appealing to this group for
> some help...
>
> Long story short, basically one of the residents on our network appears to
> have had all of our traffic getting routed to him before passing along to
> our "real" router.

There was a long discussion about this on the unisog group just
a couple days ago. It concerned someone setting up a DHCP server,
giving out unofficial addresses and bogus gateway information, and
then acting as a gateway between the "captured" DHCP clients and
the rest of the network.

Another possibility is an ARP spoofing attack where the attacking
computer becomes the official gateway according to ARP poisoned
clients. Typically, you'd see large numbers of ARP broadcast
packets associated with this. Unfortunately, there are GUI tools
that make this type of attack easy and some include functionality
that allows capturing clear-text SSH1 and SSL session traffic.

I'd pick the computer up and do a detailed forensics examination
looking for the tools or configurations used to perform the hijack
and any captured data.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

home help back first fref pref prev next nref lref last post