Vulnerability Development mailing list archives
Re: DHCP and Security
From: techs () OBFUSCATION ORG (Erik Fichtner)
Date: Fri, 4 Feb 2000 00:51:57 -0500
On Thu, Feb 03, 2000 at 01:16:08PM -0500, Nitzenberger, Rob, MSgt, AF/XORR wrote:
but with DHCP (which is the method of choice for our sys admin types), it has proven difficult to "map" an IP address back to a specific user... lease times expire, inadequate event logging..etc. How can I configure DHCP to balance the need for security with the wishes of the sys admin folks? Any Ideas?
While it's an administrative hassle, one can configure DHCP such that it only hands out an address to a known MAC address. You can then keep track of MAC addresses of systems in a known central location (make 'em sign some paperwork or something before their system will work). From there, it's a no-brainer to scavenge the dhcpd.leases file to retreive the corresponding IP lease that matches up to a MAC address. [2] Of course, you mention that leases expire and get renewed. Yeah. they do. Several silly thoughts come to mind here.. The simplest of which is to simply modify the dhcp server so that it has an audit log of the ip and mac address as it assigns them. Or, if your IP space permits it (3200 users is a lot, though) you could static IP them and basically turn it into a gory bootp replacement. At this point, I might experiment with allowing a small set of ips (2 or 3) per MAC address on a shared-subnet, so you can minimize IP collision. Just a completely out-of-my-posterior idea and I don't know that it'll work. I'd probably just go with hacking a couple lines of code into the ISC DHCP server to create an audit log. (syslog() when you get into the routine that would be writing a new lease out to the dhcpd.leases file. cake.) [1] I'm working under the assumption that you have a small number of them and you're using helper-addresses on your routers to shovel the requests from subnet to subnet. you could also mass distribute the dhcpd.conf file to your dhcp servers.. [2] We currently have some badly written scripts that do this in addition to banging their way through a big pile of switches and routers chasing the MAC address down to an ultimate switch port number so we can identify the user in space. Kinda neat. -- Erik Fichtner; Warrior SysAdmin (emf|techs) 34.9908% http://www.obfuscation.org/~techs N 38 53.055' W 77 21.860' 764 ft. "What's the most effective Windows NT remote management tool?" "A car." -- Stephen Northcutt
Current thread:
- Re: distributed.net and seti@home, (continued)
- Re: distributed.net and seti@home Kerneels (Feb 02)
- Re: distributed.net and seti@home Granquist, Lamont (Feb 03)
- Re: distributed.net and seti@home Steffen Zahn (Feb 04)
- Possible DHCP DOS attack Paul Keefer (Feb 02)
- Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
- Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
- Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
- Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
- Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
- DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
- Re: DHCP and Security Erik Fichtner (Feb 03)
- Re: DHCP and Security Seth R Arnold (Feb 04)
- Re: DHCP and Security Jeff Bachtel (Feb 05)
- Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
- Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Andrew Brown (Feb 02)