Re: protecting DHCP servers

From: Scott Gifford (sgifford@suspectclass.com)
Date: 05/21/02


To: Brian <focus-linux@tracking.zerobelow.org>
From: Scott Gifford <sgifford@suspectclass.com>
Date: 21 May 2002 14:18:28 -0400

Brian <focus-linux@tracking.zerobelow.org> writes:

> > > I am wondering what is the correct way to restrict connections to the
> > > dhcp server to come only from trusted subnets assuming that I don't
> > > have administrative access to the routers and the server connects
> > > directly to all trusted subnets. I am trying to use these rules:
>
> I generally create a 'sanity' chain on my input ruleset that gets run
> first. It would look something like this:

[...]

> iptables -A sanity -s 0.0.0.0/32 ${BAD}

This will break DHCP.

Akop, filtering Martian packets is standard security practice; you
could ask whoever does maintain your router if they already have them
(specifically against packets with a source or destination address of
0.0.0.0) and if not to add them. This is recommended (and described
well) in the NSA's guidelines for securing a Cisco router (google for
it), and your network admins really should be doing it, whether there
are DHCP servers on it or not.

You could also try filtering by MAC address. Anything from the
Internet will have a MAC address of one of your routers, so if you can
find their MAC addresses (use "/sbin/arp -a") you can make a filter to
drop those packets with iptables. The downside is that if the router
maintainer replaces hardware and the MAC address changes, or adds a
new router, your filters break...

You could also try asking in the mailing list for your DHCP server;
this seems to me like a common problem that somebody with better
knowledge of DHCP than us would have figured out. Also,
comp.protocols.tcp-ip tends to have a lot of gurus who hang out in it
and may have a better solution for you, or a reason why a better
solution isn't necessary.

-----ScottG.



Relevant Pages

  • Re: Airport dropping connection
    ... filtering, and the MAC address of the computer from which you connect ... is not allowed, the computer will *appear* to be connected, but the router ... Have you examined the Airport passwordstored in your MacBook ...
    (comp.sys.mac.portables)
  • Re: Any danger from people free riding on my wireless router?
    ... MAC address filtering is the most secure. ... While you can brute force some WPA routers ... and crack the WPA itself (because the router never stops you from trying), ...
    (alt.comp.anti-virus)
  • Wireless MAC address filtering
    ... My older Linksys wireless AP router can only do WEP security, so when I got my new HP laptop with built-in WiFi I decided to add wireless MAC address filtering to my router. ...
    (comp.sys.laptops)
  • Re: Network Protection
    ... his IP address and add it to the blocklist of the router. ... MAC addresses rather than worry about every possible MAC address to block. ... reported by Windows, reboot, and then use your network. ... My low-end consumer-grade Linksys router has MAC filtering but it filters ...
    (microsoft.public.security)
  • Re: Manual ethernet settings help needed.
    ... in a loss of network between the Mac and the router. ... I could still access the router for admin of course. ... You are not picking an IP address that the DHCP server is trying to ... The mac is right if your IP addresses are over 172.x.x.x, ...
    (uk.comp.sys.mac)