First, I think you need to determine that this is an actual attack before you start blocking anything. It could be someone who didn't know better enabled a DHCP server without even knowing what it did. I would recommend going to the person who did it and asking them why they are enabling a DHCP server. Even if it is malicious, a friendly visit can sometimes do wonders to curtail future activity.
Second, there is probably something you can tweak to keep your DHCP server from going down if it detects another DHCP server. I don't think you want your server so easily DOSed. Finally, if you really want to block traffic at the MAC layer, you can do it with access-lists on the router, but that won't stop someone from playing havoc on they're own subnet. http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.h tm#xtocid1116615 If you want to run a secure operation you should assign MAC addresses to ports on your switch and require users to go through a registration process to obtain access to a port. Also make them sign an AUP stating they are responsible for any and all activity from their MAC address. You can research securing ports on your switches by doing a search on "port security" at cisco's site. More useful info on Cisco security is here: http://www.cisco.com/warp/public/707/index.shtml You can find sample AUP's and other good policy templates here: http://www.sans.org/newlook/resources/policies/policies.htm One final point, if you don't have a security policy in place, no amount of work will keep malicious activity from occuring. Malicious activity inside your network is principally a "people" problem and it is highly unlikely you'll be able to solve those problems just with technology. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of jackie xu Sent: Wednesday, May 29, 2002 5:03 AM To: [EMAIL PROTECTED] Subject: how to filter a MAC packet at 6509 or 4006 and WIN2000 server [7:45347] hi,everybody here: My dhcp server was attacked by a hacker,and the dhcp server would down with the following messages(win2000 server platform): "meet another server with the DHCP/BINL service, and the DHCP/BINL serivce is closing" I found that the attacking pc was a campus user,and i got its mac address from arp table at router,so i want to filter the pc by its mac address not ip address,but i don't know how to realize it? any one can tell me? Thank in advance! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45361&t=45361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
