Multiple FAKE Mac addresses, One Computer Using up all DHCP Leases

We use a Windows 2003 Server to provide DHCP addresses for a guest wireless
network. At times, an unknown laptop will reserve tons of address leases
using a bunch of unique mac addresses. Either this is a virus or an
intentional attack. What type of attack is this referred to as? Is there
anyway to stop it via Server 2003 or any other method for that matter?

Your help is appreciated.

 

I think you can classify that as a denial of service attack, since it eats
up your IP addresses and prevents the server from servicing legitimate
users. I'm not a security expert so others might know more/have differing
opinions.

Not sure how to defend against this on an unauthenticated guest network.
Some things that might help mitigate, though not prevent, an attack:

Use a Class A address range on the DHCP server so there's an "endless"
supply of IP addresses. You might want to test this before deploying it
though as it could backfire somehow.

Shorten lease times to five minutes or less. This will increase normal
traffic to and from the DHCP server (renewals will occur at 2.5 minutes),
but at least the addresses will be freed up more quickly after the attacker
leaves.

Break the guest network out into two or more networks with different IP
address ranges. This way fewer users will be impacted if another attack
occurs and wireless service will be functioning properly over some of the
guest area, if not all.

Just some ideas. Ideally you could implement some form of authentication
for guests, which would eliminate the problem and/or help you identify who
is attacking the network.

HTH

FA

 

I'll call it the "Big Mac Attack", it should be meaningful to those in the
US over 30 years old.

It woulds be a huge undertaking to make it happen. If to lessen the work
you were to start with the existing IP Scheme and try to expand it then
Private RFC ranges beginning with 192 or 172 can't have the mask bit rolled
back that far without stepping on Public IP# on the Internet. Besides all
that this thing would use them all up no matter how many there were.

I don't think I like that one.

That is a very good idea. Guests should never be allowed onto the regular
LAN segment anyway,..it is just common sense. I would make the IP Segment
very small, like maybe a segment of 8 addresses which would service 6 hosts
after the ID and Broadcast Address are discounted. I wouldn't expect more
than 6 guest at a time, but if more were needed maybe a 16 address segment
(14 hosts).

To find the evil laptop on a wireless network:
--------------------------------------------------
1. There is no easy way. You simply have to find all the "guest" Humans one
at a time and examine their laptop.

2. The guest network was on it's own small segment as suggested,...power off
the Access Point and follow the screems and howls. Examine their machines.



To find the evil laptop on a "wired" network:
--------------------------------------------------
1. Choose one of the offending MAC addresses that is "recent". You may have
to attempt it with more than one

2. Most good switches have a way to view their ARP Table which is where the
Switch stored the MAC Address-to-Port relationships. Locate that MAC
Address and take note what Switch port it is associated with.

3. If that Switch port is connected to another switch, then repeat the
process on that other Switch.

4. You may have to repeat that a couples times going from switch to switch
but eventualy the Switch port will be connected to a particular wall jack
that is connected to a particular PC.

5. After the proper "user beating", dig into the laptop and find out what is
going on with it,..assumming the "user beating" didn't produce any
confessions.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------