[Talk] A denial of service attack?

Greg 'groggy' Lehey Greg.Lehey at auug.org.au
Fri Jun 14 17:00:05 EST 2002


On Friday, 14 June 2002 at 15:46:04 +1000, David Purdue wrote:
> We are seeing something strange here, and if it is not a DOS
> attack or virus of some kind, it is a grand idea for one.
>
> Here is what we see:
>
> - a system is sending out DHCP requests using a bogus Ethernet
> MAC address.
>
> - as soon as it gets a lease on an address, it increments the MAC
> address and tries again - this ensures it does not get the same
> MAC address reallocated.
>
> The effect is that the DHCP server is running out of addresses
> to give - so as people turn on their desktops they can not connect
> to the network, and as leases expire connected desktops are
> effectively getting thrown off the network!
>
> Does anyone know of anything (either because of bug or malicious
> intent) that behaves in this way?

I've never heard of this one before, but I'd have difficulty believing
that it's a bug.  This should also be good for confusing the hell out
of switches.  Can't you trace where it's coming from?

Greg
--
See complete headers for address and phone numbers



More information about the Talk mailing list