Security Basics mailing list archives

Re: Re: Re: RE: Down with DHCP!!!!

From: me () yahoo com
Date: 26 Feb 2006 14:56:06 -0000

Read RFC 2131 for some insight into this protocol.

"A host should not act as a DHCP server unless explicitly configured to do so by a system administrator. "

"7. Security Considerations

[SNIP] Therefore, DHCP in its current form is quite insecure.

Unauthorized DHCP servers may be easily set up. Such servers can then send false and potentially disruptive information
to clients such as incorrect or duplicate IP addresses, incorrect routing information (including spoof routers, etc.),
incorrect domain nameserver addresses (such as spoof nameservers), and so on. Clearly, once this seed information is in
place, an attacker can further compromise affected systems.

Malicious DHCP clients could masquerade as legitimate clients and retrieve information intended for those legitimate
clients. Where dynamic allocation of resources is used, a malicious client could claim all resources for itself,
thereby denying resources to legitimate clients. "

You decide, but your response didn't address any real issues. Spend an afternoon with perl devising attacks against
DHCP from both the rogue client and malicious server perspectives and decide if it has any place on a network you
_TRULY_ wish to secure.

DHCP is fine for places where you don't care about security or already have truly secured physical access - otherwise
you are providing an attcker with an on/off switch to your network.

DHCP is a security disaster looking for a place to happen. The protocol designers knew it and anyone with an inkling
of security knowledge realizes it. If you have managed switches to the desktop, or have the infrastructure to fully
deploy 802.1x to *ALL* of the devices on your network, more power to you; but anyone in any environment with those
resources doesn't _need_ DHCP.

48 bits of entropy is harder to manage than 32.

My $.02 (given I've spent a bit of time researching the subject)...

-AC

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: Down with DHCP!!!!, (continued)
- Re: Down with DHCP!!!! jalvare7 (Feb 21)
- RE: Down with DHCP!!!! Jasun Tate (Feb 21)
- Re: Down with DHCP!!!! gigabit (Feb 22)
  - Re: Down with DHCP!!!! tandernam (Feb 22)
  - Re: Down with DHCP!!!! Brian Loe (Feb 22)
  - RE: Down with DHCP!!!! Michael J. Benedetto (Feb 23)
- RE: Down with DHCP!!!! Steven Jones (Feb 22)
- RE: Down with DHCP!!!! Bergert, David (Feb 23)
- Re: RE: Down with DHCP!!!! anon (Feb 24)
- Re: Re: RE: Down with DHCP!!!! jctcmb (Feb 25)
- Re: Re: Re: RE: Down with DHCP!!!! me (Feb 27)