[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DEDFD939A181F94AAF3D965C58B7AADC01FCE44E@001fntcex01.fnb.fnni.com>
Date: Wed Jul 20 21:35:15 2005
From: mmadison at fnni.com (Madison, Marc)
Subject: Snatching IP on LAN, how to DoS/block
such machines?
Physical security..... ;)
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Niklas
Sent: Wednesday, July 20, 2005 2:25 PM
To: FD-mailing
Subject: [Full-disclosure] Snatching IP on LAN, how to DoS/block such
machines?
Consider the following scenario:
Your are running a decent network (say a couple of c-net) with a non
anonymous DHCP. It is not possible to have smart switches to each
endpoint. In the last stage the clients are connected to dumb switches.
Everything is fine until a user shutdown a (DHCP:ed) computer and use
its IP on the private portable that the user just connected to the same
outlet, or on an outlet on the same subnet (user hardcodes IP and may be
located.. anywhere where this subnet is available)
This is noticed pretty quickly since such a computer is bound to show up
in internal systems (inventory can't log on, software can't be deployed,
viruses are reported from this IP, snort finds interesting traffic etc
etc)
The network admin then blocks the users MAC at routerlevel. The user can
have an IP (hardcoded), but won't be able to do external traffic at all
beyond default gateway, this is pretty useless to the hijacking user.
User then modifies his MAC to match a valid PC's MAC. User is instantly
DHCP:ed/allowed at router level. User still ends up in logs, but since
user has firewall enabled admin can do nothing on the net against the
local machine (at least not automatically) aside from start blocking
valid MACs.
How do you "shut down" such hijackers? Blocking MAC at router level is
not an option since the real machine might be turned on later
(unblocking, as well as blocking, involves net admin, thoose changes
doesn't happen in real time, probably week time :))
The intrusion itself is sooner or later detected by systems
automatically, in most cases almost instantly since we are talking about
P2P-users. There is a possibilty to script stuff on the subnet when this
happens, but how to proceed?
I'm thinking something like TFN in the good old days (for a short period
of time, until hijacker gives up), or a smart ARP-poisoning. In other
words, how do I DoS "my own" clients? I don't mind bringing a switch on
it knees since this type of incident always occurs after office hours. I
have full control of all of the clients on the subnet except the
hijackers', but no access to the router.
Any suggestions are most welcome -- if your answer considers the above
"It is not possible to have smart switches to each endpoint" :)
/n
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists