How to defend against rogue DHCP server malware

The Dynamic Host Configuration Protocol was developed in the early 1990s to ease network maintenance and setup, and it has always had fundamental security vulnerabilities. Fortunately, there are time-tested solutions you can use to detect and defend against rogue DHCP server malware.

When a DHCP-enabled client (for example, a laptop) connects to the network, it sends out a broadcast message searching for the DHCP server. The local DHCP server responds with a proposed IP address assignment for your laptop, and eventually other local configuration information, such as the DNS server IP address and gateway IP address. Once the negotiation is complete, the laptop can configure itself and talk to others on the IP network.

Thanks to DHCP, a mobile device can go from a wireless hotspot to a home network to a corporate network, all without ever having to manually change its IP address settings. Large enterprises can deploy and redeploy hundreds or thousands of servers without ever manually changing individual network configuration settings.

Ask the Expert A reader asks our network pro Mike Chapple, "Can DHCP be used to selectively block instant messaging clients?"

DHCP security concerns
DHCP, however, had known security issues since it was invented. The original DHCP specification, dating back to 1993, has a section called "Security Considerations," which reads:

"...DHCP in its current form is quite insecure. Unauthorized DHCP servers may be easily set up. Such servers can then send false and potentially disruptive information to clients such as incorrect or duplicate IP addresses, incorrect routing information (including spoof routers, etc.), incorrect domain nameserver addresses (such as spoof nameservers), and so on."

In some ways, it's amazing that we've gone 16 years without widespread DHCP problems. Since 2001, if not earlier, there have been well-known automated tools for conducting DHCP man-in-the-middle attacks. One major issue exploited by network sniffer tools like Ettercap, as well as today's malware, is that according to the standard DHCP implementation, there is no way for a client to identify legitimate DHCP servers. (In 2001, the IETF released a specification for authenticated DHCP, but vendors and administrators have still not widely implemented it.)

As a result, your laptop trusts all DHCP server responses and assumes they are equally valid. "Rogue" DHCP servers, running on infected workstations, can respond to your broadcast DHCP request with bogus configuration data. If the rogue server's messages arrive first, your laptop may accept the poisoned configuration information.

Emergence of rogue DHCP server malware
In December 2008, the "Trojan.Flush.M" malware was discovered. This Trojan automatically sets up a rogue DHCP server with the goal of distributing a malicious DNS server address to unsuspecting clients. For example, when your laptop attempts to renew its DHCP lease, a Trojan.Flush.M rogue DHCP server might quickly respond with a poisoned DHCP response that includes the attacker's DNS server IP address. If your laptop accepts this information, then any time you type a new URL into your Web browser, your laptop will query the attacker's DNS server for the IP address, which corresponds to that domain name. You could type in "http://bankofamerica.com," and the attacker might respond with the address of an evil Bank of America-branded phishing site, which would then cause your browser to load a malicious webpage.

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

Rogue DHCP servers can also be used for intercepting and eavesdropping on communications. An infected workstation could send your laptop a fake gateway IP address, redirecting all of the laptop's outgoing traffic to an attacker's computer. The attacker could then examine that traffic for valuable data, forward the traffic on to the real gateway, or just block it and implement a denial-of-service attack.

This might sound complicated, but with 16 years of development, DHCP attack tools are fairly mature. Using Ettercap, anyone can point-and-click their way to conducting a DHCP man-in-the-middle attack. Furthermore, a single infected workstation can compromise an entire subnet's traffic, without any user realizing.

How to thwart rogue DHCP server malware attacks
Fortunately, over the years effective defense tools have emerged. Multiple network switch vendors offer built-in "DHCP snooping" capabilities, which block untrusted DHCP server traffic at the switch. "DHCP snooping" equipment also tracks MAC addresses, IP address assignments and corresponding ports, ensuring only legitimate combinations are allowed to communicate.

You can scan your network for rogue DHCP servers using tools such as DHCP Sentry, Roadkil.net's DHCP Find, Dhcploc.exe or dhcp_probe. Some DHCP server-scanning tools have built-in email and IM alerting capabilities, so they can alert system administrators as soon as a potential rogue DHCP server is detected. Network intrusion detection systems can also be configured to alert on potential rogue DHCP server traffic.

Appropriate network segmentation will help keep rogue DHCP servers contained. That way, even if the malware infects a single segment and spoofs DHCP, the damage will be limited. Finally, it's a good idea to monitor your internal network for evidence of client misconfiguration, such as unexpected DNS traffic to suspicious addresses. As we've seen with Trojan.Flush.M, incorrect DNS settings can be symptomatic of a rogue DHCP server.

Rogue DHCP server malware is a new twist on an old concept. The good news is that effective threat mitigation strategies exist; the bad news is that many organizations haven't bothered to deploy them yet. Segment your network carefully, configure DHCP snooping if your infrastructure supports it, monitor your internal network traffic, and respond promptly to suspicious activity. As always, the best strategy is defense in depth.

About the author: Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   NAC and Endpoint Security Management,   Client security,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors Client security How to keep networks secure when deploying an 802.11n upgrade InZero Systems launches hardware-based security gateway DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.