Re: protecting DHCP servers

From: Seth Arnold (sarnold@wirex.com)
Date: 05/18/02 

Date: Fri, 17 May 2002 18:22:54 -0700
From: Seth Arnold <sarnold@wirex.com>
To: Akop Pogosian <akopps@CSUA.Berkeley.EDU>

On Fri, May 17, 2002 at 02:48:58PM -0700, Akop Pogosian wrote:
> I am wondering what is the correct way to restrict connections to the
> dhcp server to come only from trusted subnets assuming that I don't
> have administrative access to the routers and the server connects
> directly to all trusted subnets. I am trying to use these rules:
>
> iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p tcp --sport 68 --dport 67 -j ACCEPT
> iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p udp --sport 68 --dport 67 -j ACCEPT

> My question is, is it possible for an attacker who comes from outside
> of the trusted subnets to which dhcp server connects directly to spoof
> the IP source address to look like 0.0.0.0 in order to run an exploit
> on dhcpd? If yes, how can I prevent this?

Akop, yes, an attacker can spoof a source 0.0.0.0 in order to attack
your dhcp server, and generally, the only way to prevent this is some
level of sanity checking IPs based on the _interfaces_ the packet came
in through.

e.g., if your dhcp server has two NICs:

eth0 is connected to the untrusted network
eth1 is connected to trusted subnet

you would want as some very early rules to block packets with source
0.0.0.0 from entering on interface eth0. You would block similarly
source 255.255.255.255, sources 10.x.x.x, or 172..xx.x or 192.168.x.x
from entering on eth0, if the untrusted network would always have valid
routable IPs, or perhaps require IPs in one of those ranges if the
network connected to eth0 has IPs in only that range.

Unfortunately, I don't know the iptables rule language, so I can't give
you rules directly :) but I'm hoping it shouldn't be too hard to figure
out from here.

Cheers :) 

-- 
http://www.wirex.com/

Relevant Pages

  • Re: HP2210 and Dlink DCL660W
    ... subnet mask, dhcp server address, all from my dhcp server. ... that looks different is in the screen shot that has Connections.. ... The wireless access point is connected via LAN cable to the ... the proxy settings page has This network connects to ...
    (microsoft.public.pocketpc.wireless)
  • Re: HP2210 and Dlink DCL660W
    ... One issue is you have two DHCP servers on your network. ... I suggest you turn off the access point DHCP server and let all the wireless clients get ... > that looks different is in the screen shot that has Connections.. ...
    (microsoft.public.pocketpc.wireless)
  • RE: DNS Issues after setting up a WAN?
    ... The remote side has no DHCP server. ... It only consists of some Windows ... Network Connections ...
    (RedHat)
  • Re: VPN Problem
    ... I know that SBS should be the only DHCP server:) ... As you probably know, SBS should be the only DHCP server, and it'll shut ... Yep, there is Linksys WRTsomething (I'm not actully there, I got the ... Linksys to work with many simultaneous VPN connections, ...
    (microsoft.public.windows.server.sbs)
  • RE: protecting DHCP servers
    ... >> dhcp server to come only from trusted subnets assuming that I don't ... I generally create a 'sanity' chain on my input ruleset that gets run ...
    (Focus-Linux)