>>>>> "Warren" == Warren Kumari <warren@xxxxxxxxxx> writes:
Warren> On Saturday, July 11, 2015, Christian Huitema
Warren> <huitema@xxxxxxxxxxxxx>
Warren> wrote:
Warren> On Saturday, July 11, 2015 8:50 AM, joel jaeggli wrote
>> ... [5] Section 5:
>>
>> Fake DHCP servers / fake RAs are currently a security concern -
>> this doesn't make them any better or worse.
>>
>> Please cite a reference for this, preferably with operational
>> recommendations on limiting these problems (e.g., ensure that
>> DHCP
Warren> and
>> RA traffic cannot be injected from outside/beyond the network
>> that
Warren> is relevant to the portal).
> There is definitely an
> attack vector there. Suppose an attacker can monitor the
> traffic, say on an unencrypted Wi-Fi hot spot. The attacker
> can see a DHCP request or INFORM, and race in a fake
> response with an URL of their own choosing. The mark's
> computer automatically connects there, and download some
> zero-day attack. Bingo!
Warren> An attacker with this level of access can already do
Warren> this. They fake a DHCP response with themselves as the
Warren> gateway and insert a 302 into any http connection. Or, more
Warren> likely they simply inject malicious code into some
Warren> connection.
I'm with Christian. The attack he describes--injecting a URI--is less
likely in my mind to be noticed than setting up a gateway. So, I do
consider this a new vector.