Friday, April 30, 2004

Review of MySQL Tutorial Posted

Amazon.com just posted my five star review of MySQL Tutorial. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"MySQL is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database used by many commercial and open source security products. Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user is often 'shielded' from interacting with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database directly, it's important and sometimes crucial to know basic MySQL administration.

MySQL Tutorial is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perfect companion to any security tool which depends on a MySQL database. For example, no one seriously expects to collect large amounts of data with Sguil and Snort unless a MySQL or similar database is working in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 background. MySQL Tutorial gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right subjects for those running integrated MySQL databases."

This book has a cover price of $29.99. It is refreshing to see a 267 page book priced appropriately, especially since you can get it for less than $20 at buy.com.

Thursday, April 29, 2004

Sguil 0.4.0 Released

Bamm released Sguil 0.4.0 yesterday. The changes are worth reading, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major addition is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option to replace stream4 keepstats output with John Curry's open source SANCP (Security Analyst Network Connection Profiler) session data. SANCP is much more robust as it can track TCP, UDP, and ICMP, whereas stream4 only watched TCP. In this respect SANCP is like Argus. You can also tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sguil components a specified IP address to which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should bind. This facilitates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deployment of Sguil components in FreeBSD jails.

Tuesday, April 27, 2004

Fixing a Problematic Port

While trying to upgrade installed ports on a FreeBSD 4.9 STABLE machine, I encountered a problem with x11-fonts/libXft:

[Updating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done]
---> Installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 port
===> Installing for libXft-2.1.6
===> libXft-2.1.6 depends on shared library: fontconfig.1 - found
===> libXft-2.1.6 depends on shared library: X11.6 - found
===> Generating temporary packing list
===> Checking if x11-fonts/libXft already installed
===> An older version of x11-fonts/libXft is already installed (Xft-2.1.2_1)
You may wish to ``make deinstall'' and install this port again
by ``make reinstall'' to upgrade it properly.
If you really wish to overwrite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old port of x11-fonts/libXft
without deleting it first, set cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 variable "FORCE_PKG_REGISTER"
in your environment or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "make install" command line.
*** Error code 1

Stop in /usr/ports/x11-fonts/libXft.
*** Error code 1

Stop in /usr/ports/x11-fonts/libXft.
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade6761.0 make reinstall
egrep: /var/db/pkg/libXft-2.1.5_1/+CONTENTS: No such file or directory
---> Restoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old version
** Fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation problem and try again.
[Updating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pkgdb in /var/db/pkg ... - 126 packages found (-0 +1) . done]
** Listing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 failed packages (*:skipped / !:failed)
! x11-fonts/libXft (libXft-2.1.5_1) (install error)
---> Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed

I decided to use pkgdb -F to identify and fix problems:

janney:/var/db/pkg# pkgdb -F
---> Checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 package registry database
Duplicated origin: x11-fonts/libXft - Xft-2.1.2_1 libXft-2.1.5_1
Unregister any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m? [no] yes
Unregister Xft-2.1.2_1 keeping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installed files intact? [no] yes
-> libXft-2.1.5_1 is kept.
--> Saving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Xft-2.1.2_1's +CONTENTS file as /var/db/pkg/libXft-2.1.5_1/+CONTENTS.Xft-2.1.2_1
--> Unregistering Xft-2.1.2_1
--> Done.
[Updating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done]
Stale dependency: firefox-0.8_4 -> Xft-2.1.2_1 (x11-fonts/libXft):
Fixed. (-> libXft-2.1.5_1)

Then I tried upgrading libXft again:

janney:/var/db/pkg# portupgrade -v libXft
---> Session started at: Tue, 27 Apr 2004 14:10:38 -0400
---> Upgrade of x11-fonts/libXft started at: Tue, 27 Apr 2004 14:10:42 -0400
---> Upgrading 'libXft-2.1.5_1' to 'libXft-2.1.6' (x11-fonts/libXft)
---> Build of x11-fonts/libXft started at: Tue, 27 Apr 2004 14:10:42 -0400
---> Building '/usr/ports/x11-fonts/libXft'
===> Cleaning for gettext-0.13.1_1
...edited...
===> Registering installation for libXft-2.1.6
===> Cleaning for gettext-0.13.1_1
===> Cleaning for gmake-3.80_2
===> Cleaning for imake-4.3.0_2
===> Cleaning for pkgconfig-0.15.0_1
===> Cleaning for freetype2-2.1.7_3
===> Cleaning for expat-1.95.7
===> Cleaning for fontconfig-2.2.2,1
===> Cleaning for XFree86-libraries-4.3.0_7
===> Cleaning for libXft-2.1.6
---> Removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 temporary backup files
---> Installation of x11-fonts/libXft ended at: Tue, 27 Apr 2004 14:11:42 -0400 (consumed 00:00:11)
---> Cleaning out obsolete shared libraries
[Updating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pkgdb in /var/db/pkg ... - 125 packages found (-0 +1) . done]
---> Upgrade of x11-fonts/libXft ended at: Tue, 27 Apr 2004 14:11:44 -0400 (consumed 00:01:02)
---> Listing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results (+:done / -:ignored / *:skipped / !:failed)
+ x11-fonts/libXft (libXft-2.1.5_1)
---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed
---> Session ended at: Tue, 27 Apr 2004 14:11:46 -0400 (consumed 00:01:07)

It looks like it worked.

Review of WarDriving Posted

It's been a long time since my last book review, but I've been busy finishing and copyediting my own book. Thankfully cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long flights to and from Vancouver for CanSecWest gave me some reading time. I spent part of that time with WarDriving, which I gave three stars. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"If you want to learn how to wardrive using Kismet or NetStumbler (and variants), WarDriving is for you. The book does a good job debunking certain myths, such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prevalence of 'warchalking' or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 widespread use of 'Pringles can antennas.' I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 practical advice, like disabling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP/IP stack on Windows prior to wardriving, especially helpful. The authors constantly advocate a professional mindset towards wardriving and do not suggest unethical use of insecure wireless networks."

Saturday, April 24, 2004

Comments on TCP Reset Worries

I attended Paul Watson's talk at CanSecWest this week on "Slipping in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Window" (.ppt slides, .doc paper. Paul was inspired by last year's Black Hat 2003 Las Vegas talk "BGP Vulnerability Testing" by Matcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365w Franz & Sean Convery (.pdf original talk). I attended that presentation as well, and found Matt and Sean's conclusion to be accurate: why bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with lower layer attacks when you can own cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 router? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, so many routers are misconfigured, it's not necessary to resort to spoofing or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r elaborate games to disrupt global routing.

Paul dedided to focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood of successful reset attacks against routers speaking BGP. He found that Matt and Sean's estimates for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time needed to guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right TCP sequence number to reset a TCP connection were overstated. Matt and Sean did not take into account TCP receive windows, meaning a reset with a sequence number within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window would be accepted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target. This makes it easier to reset a persistent connection, and TCP implementations with large windows are even easier to disrupt.

Matt and Sean posted an updated version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir paper acknowledging Paul's finds (.pdf).

A well-written advisory by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK's NISCC states "an established connection will abort by sending a RST if it receives a duplicate SYN packet with initial sequence number within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP window." This means tearing down established connections can be done with SYN packets, not just RST packets.

CIsco published an advisory titled TCP Vulnerabilities in Multiple IOS-Based Cisco Products explaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue and listing fixes. It's important to note that since Cisco IOS 10.2 (very old!), IOS rate-limits RST packets by default. According to Cisco, "in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of a storm of RST packets, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are effectively limited to one packet per second." This countermeasure effectively renders Paul's reset attack too slow to be workable. However, SYN packets are not rate-limited.

Cisco's rate limiting is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only way to mitigate this attack. Anti-spoofing measures and not letting arbitrary traffic to inject itself between BGP speaking routers are ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r countermeasures.

I don't foresee cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet dying at any time in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 near future due to this discovery. Owning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target routers would probably be easier. Remember this is mainly a threat to persistent connections. No one is going to kill your Web browsing sessions with this sort of attack, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would make your life miserable if you tried to download an .iso via FTP. Of course, how are attackers going to know what sessions to target?

Incidentally, while browsing Cisco's site I learning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir IOS Upgrade Planner and Feature Navigator appears to be working again.

Update: Raven Adler spoke to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DC Security Geeks on 27 April about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BGP issue. Her talk was professional and informative. She worked on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same issue several years before Paul Watson's discoveries. She reported being involved in an incident response where an intruder physically attached a rogue laptop to a public peering point switch to disrupt and/or inject routing.

Thursday, April 22, 2004

ightning Talk is a Go at CanSecWest

I just finished delivering my lightning talk at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CanSecWest conference in beautiful Vancouver, BC. I spoke for five minutes on Sguil. My slightly update slides are available in .pdf form here.

Sunday, April 18, 2004

How to Renew DHCP IP Address with Cisco Router?

If anyone can help me with this, I would appreciate it.

I can't figure out how to have my Cisco router renew its DHCP lease with my cable ISP. I appear to not be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only person with this problem. I don't have any ACLs which would deny DHCP traffic, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 portion of my router config where I set up DHCP on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 external interface:

interface FastEcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet0/0
ip address dhcp
ip access-group 101 in
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable

Eventually my lease expires and I have to disable DHCP on fa0/0 because I can't reach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet:

gill#conf term
Enter configuration commands, one per line. End with CNTL/Z.
gill(config)#int fa0/0
gill(config-if)#no ip address dhcp

Upon issuing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se commands my router releases its IP address, as seen with Tcpdump:

17:51:51.097987 68.50.168.243.68 > 172.30.100.36.67: xid:0x2570
C:68.50.168.243 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:ce:4e:53:a0 vend-rfc1048
DHCP:RELEASE SID:172.30.100.36 CID:"cisco-000c.ce4e.53a0-Fa0/0"
[len 27] T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.48.47.48.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

When I re-enable DHCP, my box receives a new IP:

gill(config-if)#ip address dhcp
gill(config-if)#^Z
gill#
17w6d: %SYS-5-CONFIG_I: Configured from console by console

Here's what Tcpdump sees. First we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHCP server making itself known and advertising what looks like a cable modem config file:

17:53:05.028597 10.71.136.1.67 > 255.255.255.255.68: xid:0x88291bab flags:0x8000
Y:10.71.136.74 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:41:52:e4:72
file "mbefcmu10v2_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.248.0 DG:10.71.136.1
LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:05.121631 10.71.136.1.67 > 255.255.255.255.68: xid:0x88291bab flags:0x8000
Y:10.71.136.74 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:41:52:e4:72
file "mbefcmu10v2_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.248.0 DG:10.71.136.1
LT:1209600 TZ:-18000 TS:172.30.100.35

Next my router asks for an IP from its unknown 0.0.0.0 address to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local broadcast 255.255.255.255 address:

17:53:07.180465 0.0.0.0.68 > 255.255.255.255.67: xid:0x1e7e flags:0x8000
ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:ce:4e:53:a0 vend-rfc1048 DHCP:DISCOVER MSZ:1152
CID:"cisco-000c.ce4e.53a0-Fa0/0"[len 27]
T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.
48.47.48.12.4.103.105.108.108.55.8.1.6.15.44.3.33.150.43.52.1.3.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

Now it seems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHCP server tries to ping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proposed address, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n offers an IP:

17:53:07.197072 172.30.100.36 > 68.50.168.243: icmp: echo request (DF)

17:53:07.298545 10.71.136.1.67 > 255.255.255.255.68: xid:0x1e7e flags:0x8000
Y:68.50.168.243 S:172.30.100.35 G:68.50.168.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:ce:4e:53:a0
file "mdcm245_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.254.0 DN:"manass01.va.comcast.net"
NS:68.48.0.13,68.87.96.15,68.48.0.5,68.87.96.16 DG:68.50.168.1 LT:604800

My box sends out anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r request. I thought this was a duplicate until I noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 longer "T99" field.

17:53:07.300195 0.0.0.0.68 > 255.255.255.255.67: xid:0x1e7e flags:0x8000
ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r0:c:ce:4e:53:a0 vend-rfc1048 DHCP:REQUEST MSZ:1152
CID:"cisco-000c.ce4e.53a0-Fa0/0"[len 27]
T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.
48.47.48.54.4.172.30.100.36.50.4.68.50.168.243.51.4.0.9.58.128.12.4.103.105.1
08.108.55.8.1.6.15.44.3.33.150.43.52.1.3.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

17:53:07.317881 10.71.136.1.67 > 255.255.255.255.68: xid:0x1e7e flags:0x8000
Y:68.50.168.243 S:172.30.100.35 G:68.50.168.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:c:ce:4e:53:a0
file "mdcm245_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.254.0 DN:"manass01.va.comcast.net"
NS:68.48.0.13,68.87.96.15,68.48.0.5,68.87.96.16 DG:68.50.168.1 LT:604800

17:53:07.319116 arp reply 68.50.168.243 is-at 0:c:ce:4e:53:a0

17:53:07.599113 10.71.136.1.67 > 255.255.255.255.68: xid:0x7b7aa96 flags:0x8000
Y:10.71.137.184 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:8:e:ad:20:c4
file "msb4220_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.248.0
DG:10.71.136.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:07.687973 10.71.136.1.67 > 255.255.255.255.68: xid:0x7b7aa96 flags:0x8000
Y:10.71.137.184 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:8:e:ad:20:c4
file "msb4220_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.248.0
DG:10.71.136.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:16.265276 arp who-has 68.50.168.1 tell 68.50.168.243

17:53:16.272724 arp reply 68.50.168.1 is-at 0:3:fe:e3:8:70

17:53:16.420161 10.71.136.1.67 > 255.255.255.255.68: xid:0xffffa114 flags:0x8000
Y:10.71.116.208 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:8:e:1b:a1:14
file "msb4100_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 VO:128 SM:255.255.254.0
DG:10.71.116.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:16.511679 10.71.136.1.67 > 255.255.255.255.68: xid:0xffffa114 flags:0x8000
Y:10.71.116.208 S:172.30.100.35 G:10.71.136.1 ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 0:8:e:1b:a1:14
file "msb4100_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 VO:128 SM:255.255.254.0
DG:10.71.116.1 LT:1209600 TZ:-18000 TS:172.30.100.35

When everything is squared away I can ping my gateway:

17:53:16.609622 68.50.168.243 > 68.50.168.1: icmp: echo request

17:53:16.616916 68.50.168.1 > 68.50.168.243: icmp: echo reply

I obviously haven't figured out what all of this is, but I wanted to document it for future reference. It appears Cisco has a new command in 12.3 to release and renew DHCP addresses differently.