protecting DHCP servers

From: Akop Pogosian (akopps@CSUA.Berkeley.EDU)
Date: 05/17/02


Date: Fri, 17 May 2002 14:48:58 -0700
From: Akop Pogosian <akopps@CSUA.Berkeley.EDU>
To: focus-linux@securityfocus.com

I am wondering what is the correct way to restrict connections to the
dhcp server to come only from trusted subnets assuming that I don't
have administrative access to the routers and the server connects
directly to all trusted subnets. I am trying to use these rules:

iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p udp --sport 68 --dport 67 -j ACCEPT

(later, on everything else is denied)

I have used 0.0.0.0 because it looks like this is the IP address that
the dhcp clients use before they have gotten a valid IP address. The
dhcp server needs to respond to requests that come only from the
subnets that it connects to directly. My question is, is it possible
for an attacker who comes from outside of the trusted subnets to which
dhcp server connects directly to spoof the IP source address to look
like 0.0.0.0 in order to run an exploit on dhcpd? If yes, how can I
prevent this?

-akop



Relevant Pages

  • Re: protecting DHCP servers
    ... > I am wondering what is the correct way to restrict connections to the ... > dhcp server to come only from trusted subnets assuming that I don't ... > of the trusted subnets to which dhcp server connects directly to spoof ... from entering on interface eth0. ...
    (Focus-Linux)
  • RE: protecting DHCP servers
    ... >> dhcp server to come only from trusted subnets assuming that I don't ... I generally create a 'sanity' chain on my input ruleset that gets run ...
    (Focus-Linux)
  • Re: protecting DHCP servers
    ... is it possible for an attacker who comes from ... > outside of the trusted subnets to which dhcp server connects ... Block it at your border router, ...
    (Focus-Linux)