Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems. Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server …
DHCP is inherently insecure
I have always avoided DHCP and always recommended against it's use, it was just a matter of time for malware to exploit the inherent insecurity of the DHCP protocol.
I guess DHCP will need to be converted to use cryptographic keys too, like DNSSEC.
You could just run a script to set the DNS server addresses to the correct ones on every PC.
Having a system find DNS addresses from another system is just asking for trouble, especially on a network where not everyone knows/cares about security.
More effective countermeasures
Since DHCP is not authenticated and is an attractive attack vector, all networks should have countermeasures providing defense in depth against unauthorized DHCP servers..
The open-source program dhcp_probe can be used to monitor a network for unauthorized DHCP servers.
Enterprise-grade switches like Cisco's allow you to lock down ports so DHCP is only allowed from authorized ports.
Am I missing something?
So is there something preventing your router/firewall from blocking traffic to port 53 except to your known and trusted DNS servers? Just specify the IPs manually in the settings and for the love of Mike, don't ever let a third party (application or machine) tell your firewall what is and isn't safe.
I did the research on this 4 / 5 years ago http://www.networkpenetration.com/dhcp_flaws.html ... shitty that I had to take the site down though due to dumb uk laws forbidding the release of dos tools but you can probably find a copy of the paper on the net somewhere... I won't mention about the flaws with pxe and wake up packets but you can probably guess
Home and other small networks
This main area of risk with the Trojan will be the home and other small networks that don't have a dedicated network administrator looking after them. As well, residential and public Internet services are likely to be at risk because of their reliance on DHCP and DNS.
Improvements that I would like to see to thwart the Trojan include routers that check for other DHCP servers on the LAN subnet competing with their DHCP server and "watchdog" procedures being integrated in to small-network and residential / public Internet DHCP / DNS setups.
It is also worth remembering that a small network's DHCP server is the Internet gateway device, typically the router. This would mean that computers and other devices should be able to be set to red-flag DHCP activity unless it comes from the gateway device.
Precautions for networks with simple switches
This is why enterprise switches have DHCP enforcement features.
But even a small network can block DNS traffic to and from all hosts but their DNS forwarders on each subnet interface. That will unmask most rogue DNS forwarders in short order (they tend to try recursive DNS direct to the network rather than use the forwarder given by DHCP, presumably this will change as attacks become more sophisticated).
A small network can also have a router ACL on each subnet which logs packets on the DHCP port from non-approved DHCP servers. Since the first phase of DHCP relies upon a broadcast the router will see some of the rogue's traffic. This won't stop the rogue DHCP server, but it will make the network administrators immediately aware of the rogue server's presence and MAC address.
This exploit will not work on our networks because we have DHCP snooping turned on and only an authorised server can pass out dhcp packets.
If your organisation has this capability (will do if it's all CISCO), enable this as part of your standard configuration on all switches.
Ahh. But *HOME* networks are administratorless!
@Glen Turner: Absolutely. But home networks are built by the 12 year old child who goes to the computer shop, buys the you-beaut wireless ADSL router thing and plugs it in (unless it is a home network for an El Reg reader!). Sadly, we need to engineer for the lowest denominator...
I know my router has very limited control. .. I'd lay quids on the table most are similar.
Regrettably the archetypal home user is the most likely to be bitten by this.
Re Yawn ...... and IT Chasms/.Orgasms
"Network Penetration is Temporarily Unavailable
We may or may not be back folks :/ " ..... http://www.networkpenetration.com/dhcp_flaws.html
Ste [Posted Tuesday 17th March 2009 02:18 GMT] ,
Network Penetration is Always Available because IT is so Lucrative and Rewarding and whenever Vulnerabilities are Discovered, Shared with Guests/Hosts and Ignored by the Same, will Personal Corporate Enrichment at Third Party Hosted Expense easily escape any Malicious Prosecution with the Wilful Entrapment and Grooming Defence Line of Attack.
"shitty that I had to take the site down though due to dumb uk laws forbidding the release of dos tools " ...... Invariably always dumb laws are to protect criminally dumb people and the uk has more than its fair share of such lawmakers. AIMasterminds though would always Transparently BetaTest them for Flaws which could/should/may/will be criminally flouted and thus would need be guarded against, with any Necessary and Future Security Costs not being seen as a Debit Liability but rather as a Credit Asset, with its Offer Price being Directly Proportional to the Perceived Loss Value of being Fully Exposed to the Risk Discovered/Vulnerability which can be Exploited.
And what you pay for is what you get in such Pay Peanuts get Monkeys Stakes. Only the Very Best of the Very Best suffices for Great Game Big Picture Operations ....... but do IT right and IT is Win Win with Everyone a Winner and Considerably Richer on every Plane/Level/Field and No Losers....... so the Huge Expense of such Systems doesn't even come into the Reckoning at All as All Spend is just Adding to the Guaranteed Pot Riches.
Re: Am I missing something?
The compromise affects a LAN segment; computers which will be communicating via network switches which are most likely dumb devices that can do no filtering. Sure, you could configure a firewall on each machine to only communicate with known safe DNS servers, but you're still left with a chicken-and-egg situation which is what DHCP was intended to correct in the first place.
As for blocking the rogue DNS server from accessing the internet, there is absolutely nothing preventing that from making queries to your legitimate DNS servers. Indeed, I'd be surprised if this malware didn't do exactly that, for exactly the reasons people have specified here. All it has to do then is pass on false information to its own clients.
If this version of the malware doesn't communicate with legitimate DNS servers (ie, the ones its own compromised host was originally configured to use, or ones gleaned from legitimate DHCP traffic) you can be assured the next one will.
There isn't a practical network level solution to this, as pretty much everyone, everywhere will be using DHCP on small networks... the fact that limited numbers of networks will have superior (but hugely inconvenient) security will be quite irrelevant compared to the pool of potential victims.
Block DNS at the Gateway...Only an authorised DNS address can be used.
Problem Solved. For now...
Problem will still exist if the Malware skims a few Address and refers the rest to the deault DNS IP for the network...
Some great posts....
"I have always avoided DHCP and always recommended against it's use, it was just a matter of time for malware to exploit the inherent insecurity of the DHCP protocol."
That's right we will set up 5000 machines over 23 countries manually....and every time they move office, change a nic, change a DC etc etc, oh did I mention the 3000 IP phones as well?
"You could just run a script to set the DNS server addresses to the correct ones on every PC."
Yup and how do they get this. First they power up, request a IP address from a DHCP server...Oooops fail.
First, I like to hard code the DNS (woth OpenDNS as my primary 2) & IP address. I do it at home, but the boss doesn't like it at work.
Second. At work, if I'm not mistake, in Windows Server 2003, you have to authorize a DHCP server to be on the network.
an interesting conumndrum
@ 2 thoughts
yes, you do indeed have to authorise a dhcp server in 2003, but from experience, this doesn't prevent a rogue dhcp server getting in. It just prevents the DHCP server from communicating with Active Directory and the internal DNS (That's how DNS updates its dynamic FQDN list).
We had a rather dumb art teacher in the school I used to work at, and periodically, he would hard reset his mac WAPs, thus re-enabling the built-in DHCP server.
Aside from requiring a damn good slap for throwing money away on Mac WAPs, (I can pay 3 times the going rate for half the features? Where's my wallet?!?!) realistically, rogue DHCP detection is the only practical solution, but quite a job if you have multiple sites.
I'm currently setting up SCCM 2007, which can make extensive use of WOL, and Intels AMT tech for Out Of Bounds management. Basically, it can power on a machine, and gain BIOS level control.
It requires a PKI SSL certificate installing amongst other things due to the security implications, so I'll be interested to see what other traffic security benefits can be gleaned
...there was some service that provide free, open DNS resolution that you could point all your personal machines to, even when traveling.
Oh wait, there is.
Protect the PCs Better
I'm not much of a network wonk anymore. I'm into endpoint security issues these days. So, in addition to the network remedies suggested above (oh and I would like to see digitally signed DNS), we need to do a better job of protecting PCs, which are far too vulnerable with their typical defenses. I seem to rant a lot about this on www.securitynowblog.com If interested, a couple of posts:
We cannot trust the software that runs on our PCs: http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal
And this one about signature-based defense limitations:
In smaller organizations, PCs are disturbingly vulnerable.