Network security and fun with routing

I've been reviewing the use of DHCP as an attack vector -and what I found is the usual thing: most of the attacks follow highly traditional paths with a ten year history of increasingly clever solutions to increasingly clever variations on the same themes. Great, except that it seems to me there's an easy and virtual foolproof way of using DCHP with NAT to blow holes in just about anybody's network "security."

My understanding of networking technologies is pretty limited and I'm not about to do the following experiment in real life - so tell, me please, why it's not simple to combine DHCP with a man in the middle attack to create a nearly undetectable tap into a bank or other multi-site, multi-customer, organization.

The idea is simple: a lot of network services suppliers are forcing DHCP down customer throats - even using DHCP to serve addresses sold the customer as static by making the customer premises device boot DHCP from the provider's servers.

So connect your own device outside the customer premise and have it wait however long it takes for that thing to reboot - then load it from your machine while accepting the offer from the service provider's machine. Now you can see and control every packet coming and going from that customer.

So over time you learn which sites the customer connects to, where any cryptology "tunnels" lead, and which "secure" sites are regularly accessed. Once you know what they are, you can echo them - doing a classic man in the middle act: terminate both ends to show each side a secure communications channel while cheerfully copying whatever you want as packets journey from decryption to re-encryption.

And, of course, what makes this "exciting" for certain kinds of uses is that the whole thing can be implemented using commercial, off the shelf, technology. Specifically, you would network one or more home DHCP/NAT routers for each target while processing the data streams diverted using Crossbow and the hardware cryptology on a single CMT machine hidden away somewhere safe.

The set-up would, I think, make it easy to fool all the usual line tracing and debugging tools - meaning that you'll only be caught if someone stumbles on the device or notices that packet transfers take perhaps half a second too long and succeeds in getting someone in authority to listen to an obviously paranoid overeaction to something that isn't really unusual.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All