[Talk] A denial of service attack?

Greg 'groggy' Lehey Greg.Lehey at auug.org.au
Fri Jun 14 17:00:05 EST 2002

On Friday, 14 June 2002 at 15:46:04 +1000, David Purdue wrote:
> We are seeing something strange here, and if it is not a DOS
> attack or virus of some kind, it is a grand idea for one.
> Here is what we see:
> - a system is sending out DHCP requests using a bogus Ethernet
> MAC address.
> - as soon as it gets a lease on an address, it increments the MAC
> address and tries again - this ensures it does not get the same
> MAC address reallocated.
> The effect is that the DHCP server is running out of addresses
> to give - so as people turn on their desktops they can not connect
> to the network, and as leases expire connected desktops are
> effectively getting thrown off the network!
> Does anyone know of anything (either because of bug or malicious
> intent) that behaves in this way?

I've never heard of this one before, but I'd have difficulty believing
that it's a bug.  This should also be good for confusing the hell out
of switches.  Can't you trace where it's coming from?

See complete headers for address and phone numbers

More information about the Talk mailing list