After having experienced a rather malicious attack on our corporate network by someone running a rogue DHCP server, I'm wondering if there's any way to prevent this from happening again? The perpetrator basically managed to renumber most of an entire subnet (into an entirely different IP block) of our network, causing a major denail of service. I've read the RFC's and checked all the network reference books I can find, and none of them indicate any way to prevent this from happening again. Am I missing something here, or is it time to start writing RFC's? Thanks in advance.
In a cable modem environment, we make use of packet filtering to prevent any cable modem user from responding to DHCP requests. Customer cable modems can act as a clients for such requests, but not as servers. In other environments, we essentially use the same tactic; we partition the network so that valid servers are on controlled segments, and only allow DHCP servers on those segments. Right now, it seems we have the tools to authenticate and authorize DHCP with current RFCs. I would be very interested in hearing about potential attacks we have missed. regards, fletcher