Re: pixieboot attack

[David Auclair <d.auclair () utoronto ca>]

It's possible to prevent rogue DHCP servers... The same defences would work against the PXE boot attack.

You can either configure QoS on your switches to drop DHCP responses from end-users, or you can configure DHCP snooping.

-Dave

> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-
> bounces () mail pauldotcom com] On Behalf Of Mike Patterson
> Sent: Monday, January 16, 2012 10:11 AM
> To: pauldotcom () pdc-mail pauldotcom com
> Subject: Re: [Pauldotcom] pixieboot attack
>
> On 12-01-16 4:38 AM, Robin Wood wrote:
> > Has anyone done this? Do organisations use PXE boot on network
> machines?
>
> I've thought about it, mostly from the "how to prevent it" perspective.
> The most feasible answer I came up with is "hope it doesn't happen."
>
> I don't know about other organisations, but some places I've worked use
> it. They tend to enable it only for machine installation, and disable
> it again afterwards. The one group I was with that made heavy use, we
> had a separate VLAN just for this. Enable PXE, change the VLAN, boot /
> reinstall, disable PXE, change the VLAN back.
>
> I don't know what might break if you blocked the bits that PXE needs to
> properly work on non-"reinstall" networks, but that could be a
> mitigation.
>
> Mike
>
> --
> Imagine what medieval peasants would say if you could explain to them
> the stuff that people waste most of their time worrying about these
> days.  - David Morgan-Mar
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com