I have always avoided DHCP and always recommended against it's use, it was just a matter of time for malware to exploit the inherent insecurity of the DHCP protocol.

I guess DHCP will need to be converted to use cryptographic keys too, like DNSSEC.

You could just run a script to set the DNS server addresses to the correct ones on every PC.

Having a system find DNS addresses from another system is just asking for trouble, especially on a network where not everyone knows/cares about security.

Since DHCP is not authenticated and is an attractive attack vector, all networks should have countermeasures providing defense in depth against unauthorized DHCP servers..

The open-source program dhcp_probe can be used to monitor a network for unauthorized DHCP servers.

Enterprise-grade switches like Cisco's allow you to lock down ports so DHCP is only allowed from authorized ports.

So is there something preventing your router/firewall from blocking traffic to port 53 except to your known and trusted DNS servers? Just specify the IPs manually in the settings and for the love of Mike, don't ever let a third party (application or machine) tell your firewall what is and isn't safe.

I did the research on this 4 / 5 years ago http://www.networkpenetration.com/dhcp_flaws.html ... shitty that I had to take the site down though due to dumb uk laws forbidding the release of dos tools but you can probably find a copy of the paper on the net somewhere... I won't mention about the flaws with pxe and wake up packets but you can probably guess

This exploit will not work on our networks because we have DHCP snooping turned on and only an authorised server can pass out dhcp packets.

If your organisation has this capability (will do if it's all CISCO), enable this as part of your standard configuration on all switches.

"Network Penetration is Temporarily Unavailable

We may or may not be back folks :/ " ..... http://www.networkpenetration.com/dhcp_flaws.html

Ste [Posted Tuesday 17th March 2009 02:18 GMT] ,

Network Penetration is Always Available because IT is so Lucrative and Rewarding and whenever Vulnerabilities are Discovered, Shared with Guests/Hosts and Ignored by the Same, will Personal Corporate Enrichment at Third Party Hosted Expense easily escape any Malicious Prosecution with the Wilful Entrapment and Grooming Defence Line of Attack.

"shitty that I had to take the site down though due to dumb uk laws forbidding the release of dos tools " ...... Invariably always dumb laws are to protect criminally dumb people and the uk has more than its fair share of such lawmakers. AIMasterminds though would always Transparently BetaTest them for Flaws which could/should/may/will be criminally flouted and thus would need be guarded against, with any Necessary and Future Security Costs not being seen as a Debit Liability but rather as a Credit Asset, with its Offer Price being Directly Proportional to the Perceived Loss Value of being Fully Exposed to the Risk Discovered/Vulnerability which can be Exploited.

And what you pay for is what you get in such Pay Peanuts get Monkeys Stakes. Only the Very Best of the Very Best suffices for Great Game Big Picture Operations ....... but do IT right and IT is Win Win with Everyone a Winner and Considerably Richer on every Plane/Level/Field and No Losers....... so the Huge Expense of such Systems doesn't even come into the Reckoning at All as All Spend is just Adding to the Guaranteed Pot Riches.

Yes.

The compromise affects a LAN segment; computers which will be communicating via network switches which are most likely dumb devices that can do no filtering. Sure, you could configure a firewall on each machine to only communicate with known safe DNS servers, but you're still left with a chicken-and-egg situation which is what DHCP was intended to correct in the first place.

As for blocking the rogue DNS server from accessing the internet, there is absolutely nothing preventing that from making queries to your legitimate DNS servers. Indeed, I'd be surprised if this malware didn't do exactly that, for exactly the reasons people have specified here. All it has to do then is pass on false information to its own clients.

If this version of the malware doesn't communicate with legitimate DNS servers (ie, the ones its own compromised host was originally configured to use, or ones gleaned from legitimate DHCP traffic) you can be assured the next one will.

There isn't a practical network level solution to this, as pretty much everyone, everywhere will be using DHCP on small networks... the fact that limited numbers of networks will have superior (but hugely inconvenient) security will be quite irrelevant compared to the pool of potential victims.

Block DNS at the Gateway...Only an authorised DNS address can be used.

Problem Solved. For now...

Problem will still exist if the Malware skims a few Address and refers the rest to the deault DNS IP for the network...

"I have always avoided DHCP and always recommended against it's use, it was just a matter of time for malware to exploit the inherent insecurity of the DHCP protocol."

That's right we will set up 5000 machines over 23 countries manually....and every time they move office, change a nic, change a DC etc etc, oh did I mention the 3000 IP phones as well?

"You could just run a script to set the DNS server addresses to the correct ones on every PC."

Yup and how do they get this. First they power up, request a IP address from a DHCP server...Oooops fail.

First, I like to hard code the DNS (woth OpenDNS as my primary 2) & IP address. I do it at home, but the boss doesn't like it at work.

Second. At work, if I'm not mistake, in Windows Server 2003, you have to authorize a DHCP server to be on the network.

@ 2 thoughts

yes, you do indeed have to authorise a dhcp server in 2003, but from experience, this doesn't prevent a rogue dhcp server getting in. It just prevents the DHCP server from communicating with Active Directory and the internal DNS (That's how DNS updates its dynamic FQDN list).

We had a rather dumb art teacher in the school I used to work at, and periodically, he would hard reset his mac WAPs, thus re-enabling the built-in DHCP server.

Aside from requiring a damn good slap for throwing money away on Mac WAPs, (I can pay 3 times the going rate for half the features? Where's my wallet?!?!) realistically, rogue DHCP detection is the only practical solution, but quite a job if you have multiple sites.

I'm currently setting up SCCM 2007, which can make extensive use of WOL, and Intels AMT tech for Out Of Bounds management. Basically, it can power on a machine, and gain BIOS level control.

It requires a PKI SSL certificate installing amongst other things due to the security implications, so I'll be interested to see what other traffic security benefits can be gleaned