[3701] in bugtraq
Re: BOOTP/DHCP security
daemon@ATHENA.MIT.EDU (itudps)
Wed Nov 27 20:04:02 1996
Date: Thu, 28 Nov 1996 06:08:30 +1030
Reply-To: itudps <itudps@ntx.city.unisa.edu.au>
From: itudps <itudps@ntx.city.unisa.edu.au>
X-To: Jonathan Larmour <JLarmour@origin-at.co.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <1.5.4.16.19961127192714.64278994@gatekeeper>
> >> > Examples of bogus information might include:
> >> >
> >> > o a new gateway that bounces everything to the real gateway but also keeps
> >> > a copy of certain information, this would often be undetected in a typical
> >> > large and busy commercial or educational network.
> >>
> >> [of course, you can do this with a packet sniffer just as easily].
> >
> >Not necessarily! The big point is that these requests are usually
> >broadcast and forwarded by the routers, so that you have a window of
> [snip 8< ]
>
> I thought the big point is that once this has done, all packets are sent to
> you for you to read, or more interestingly rewrite at whim. No need for
> sniffing, which may cause difficulties if not on the same subnet anyway, and
> wouldn't allow rewriting.
Someone might eventually notice the strange traffic pattern generated by a
fake gateway. But a dns or wins server would be very hard to spot and you
could use this to distribute requests to a lot of different (also hacked)
places on or outside the network, thus avoiding an obvious change in
network load.
This is a rather unnerving prospect.
--
Dan Shearer email: Dan.Shearer@UniSA.edu.au
Information Technology Unit Phone: +61 8 302 3479
University of South Australia Fax : +61 8 302 3385
