Multiple FAKE Mac addresses, One Computer Using up all DHCP Leases

Discussion in 'Windows Networking' started by MatthewN, Oct 2, 2007.

  1. MatthewN

    MatthewN Guest

    We use a Windows 2003 Server to provide DHCP addresses for a guest wireless
    network. At times, an unknown laptop will reserve tons of address leases
    using a bunch of unique mac addresses. Either this is a virus or an
    intentional attack. What type of attack is this referred to as? Is there
    anyway to stop it via Server 2003 or any other method for that matter?

    Your help is appreciated.
     
    MatthewN, Oct 2, 2007
    #1
    1. Advertisements

  2. MatthewN

    FenderAxe Guest

    I think you can classify that as a denial of service attack, since it eats
    up your IP addresses and prevents the server from servicing legitimate
    users. I'm not a security expert so others might know more/have differing
    opinions.

    Not sure how to defend against this on an unauthenticated guest network.
    Some things that might help mitigate, though not prevent, an attack:

    Use a Class A address range on the DHCP server so there's an "endless"
    supply of IP addresses. You might want to test this before deploying it
    though as it could backfire somehow.

    Shorten lease times to five minutes or less. This will increase normal
    traffic to and from the DHCP server (renewals will occur at 2.5 minutes),
    but at least the addresses will be freed up more quickly after the attacker
    leaves.

    Break the guest network out into two or more networks with different IP
    address ranges. This way fewer users will be impacted if another attack
    occurs and wireless service will be functioning properly over some of the
    guest area, if not all.

    Just some ideas. Ideally you could implement some form of authentication
    for guests, which would eliminate the problem and/or help you identify who
    is attacking the network.

    HTH

    FA
     
    FenderAxe, Oct 3, 2007
    #2
    1. Advertisements

  3. I'll call it the "Big Mac Attack", it should be meaningful to those in the
    US over 30 years old.
    It woulds be a huge undertaking to make it happen. If to lessen the work
    you were to start with the existing IP Scheme and try to expand it then
    Private RFC ranges beginning with 192 or 172 can't have the mask bit rolled
    back that far without stepping on Public IP# on the Internet. Besides all
    that this thing would use them all up no matter how many there were.
    I don't think I like that one.
    That is a very good idea. Guests should never be allowed onto the regular
    LAN segment anyway,..it is just common sense. I would make the IP Segment
    very small, like maybe a segment of 8 addresses which would service 6 hosts
    after the ID and Broadcast Address are discounted. I wouldn't expect more
    than 6 guest at a time, but if more were needed maybe a 16 address segment
    (14 hosts).

    To find the evil laptop on a wireless network:
    --------------------------------------------------
    1. There is no easy way. You simply have to find all the "guest" Humans one
    at a time and examine their laptop.

    2. The guest network was on it's own small segment as suggested,...power off
    the Access Point and follow the screems and howls. Examine their machines.



    To find the evil laptop on a "wired" network:
    --------------------------------------------------
    1. Choose one of the offending MAC addresses that is "recent". You may have
    to attempt it with more than one

    2. Most good switches have a way to view their ARP Table which is where the
    Switch stored the MAC Address-to-Port relationships. Locate that MAC
    Address and take note what Switch port it is associated with.

    3. If that Switch port is connected to another switch, then repeat the
    process on that other Switch.

    4. You may have to repeat that a couples times going from switch to switch
    but eventualy the Switch port will be connected to a particular wall jack
    that is connected to a particular PC.

    5. After the proper "user beating", dig into the laptop and find out what is
    going on with it,..assumming the "user beating" didn't produce any
    confessions.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Oct 3, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.