Vulnerability Development mailing list archives
Re: DHCP and Security
From: sebastion () IRELANDMAIL COM (Jeff Bachtel)
Date: Sat, 5 Feb 2000 12:44:44 -0600
Hmm, at the .edu I work for (which switched to DHCP about a year ago), the DHCP server hands out to new MAC addresses a non-routable ip address (such as 10.0.0.1 or whatever). There's a huge pool of those addresses (probably with near-non-existent lease times), which are absolutely useless, that is the only thing you can do with such a source ip is connect to the DHCP server (which also acts as a web server), and authenticate yourself (via ph). Ones you are authenticated, the DHCP server "knows" your MAC address (actually, its put into a SQL database) and will upon your next attempt to grab an address, give you a valid, routable ip. Most of the stuff is custom, but shouldn't take a competent coder more than a few weeks to code and test out (assuming you already have some sort of database [LDAP/SQL/etc] to auth against), and eliminates the ability to deplete the pool of routable ip addresses. jeff On Thu, Feb 03, 2000 at 01:16:08PM -0500, Nitzenberger, Rob, MSgt, AF/XORR wrote:
Need a policy read folks: The system I "manage" has 3200 users at various locations throughout the world, managed by a central NOC. Our firewall permissions (protocol and port) are highly restrictive and report any unauthorized actions (ftp, pings, finger,.....). The NOC gets a report from the firewall indicating which IP was the "offender". If I the LAN clients are configured with static IP's, it's easy to attribute the offending action with a LAN client, but with DHCP (which is the method of choice for our sys admin types), it has proven difficult to "map" an IP address back to a specific user... lease times expire, inadequate event logging..etc. How can I configure DHCP to balance the need for security with the wishes of the sys admin folks? Any Ideas? Rob Nitzenberger thenitz () email com
Current thread:
- Re: distributed.net and seti@home, (continued)
- Re: distributed.net and seti@home Steffen Zahn (Feb 04)
- Possible DHCP DOS attack Paul Keefer (Feb 02)
- Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
- Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
- Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
- Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
- Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
- DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
- Re: DHCP and Security Erik Fichtner (Feb 03)
- Re: DHCP and Security Seth R Arnold (Feb 04)
- Re: DHCP and Security Jeff Bachtel (Feb 05)
- Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
- Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Andrew Brown (Feb 02)