RE: DHCP Security Questions

From: Steve Vawter (
Date: 05/15/02

From: Steve Vawter <>
To: "'Richard Westlake'" <>, Chris <>
Date: Wed, 15 May 2002 09:33:20 -0700

Well, if it is a new system doing the IP "theft" this may well fix it:

Split your network into 2 VLAN's via dynamic VLAN's; one known systems, one
unknown systems. Set up DHCP (with different ranges) on both VLAN's so that
system set up for DHCP can get an address. Set up the unknown side with
tighter security since anyone walking in off the street might be on it.
When your IT guys set up a new system they can add it to the known list...

Steve Vawter
Zone Labs, Inc.
1060 Howard Street
San Francisco CA 94103
ph 415-341-8323
fax 415-341-8299
cell 510-409-9184
pager 877-933-0549

-----Original Message-----
From: Richard Westlake []
Sent: Tuesday, May 14, 2002 12:22 PM
To: Chris
Subject: Re: DHCP Security Questions

There is no easy way to stop this. If they can change the IP address on
their system then they can set any address they like.

You could try the following

1) take away admin access. Not possible with visitors & personal laptop
etc. can't do this with all OSs e.g. 95/98

2) run something like arpwatch (free)to record MAC/IP address. This will
notice new systems on the network and will also report address flip-flops
when two systems try and use the same IP address. We use this and it has
spotted badly configured systems and people borrowing (stealing) IP
address. Doesn't prevent the problem but it makes it easer to find and
fix. Problems of two systems using the same address (IP,DECNET etc) can
be very hard to debug. For arpwatch try
or a google search

3) split the network into two with a router. One network can have your
static address servers and other important stuff, the other can have the
DHCP assigned addresses.
This reduces the damage people can do, still a problem if they steal the
IP address from your or the MDs laptop. You could also add a network just
for visitors.

4) use SNMP on the switches to report when a port goes live. The with SNMP
query the address table and compare it with a list of allowed MAC/IP
addresses (DHCP server lease file) and possible which ports they can use.
If you don't like the system on the port which has just gone live then
block the port or move it to a VLAN where it cant do any harm. Maybe you
can get a network management system to help with this.
This could be a lot of work! If you every try it please let me know how
you got on.

If you have a lot of people turning up with laptops etc and they already
have ID/passwords on your system they you could use something like netreg
(free) to automate the MAC registration. Matt
Campbell at RIT has implemented a similar system which does watch the
switches and move ports for new systems to different VLANS

Netreg type packages are useful if you don't want random strangers
wandering into the building, finding an unused port in a quiet corner,
connecting to the network and getting an IP address and having fun with
your servers etc

All the best and good luck

Richard Westlake

School of Crystallography, Birkbeck College, Malet Street, London WC1E 7HX
Tel: 020-7631-6859
               Truth endures but spelling changes -- Anon.

On Tue, 14 May 2002, Chris wrote:

> Date: Tue, 14 May 2002 09:10:26 -0700
> From: Chris <>
> To:
> Subject: DHCP Security Questions
> I was curious to find out about some issues that I would like to prevent
> if at all possible. I am running a network with a DHCP server handing
> out public IP's to clients. It is also reserving by the MAC for clients
> that have static publics. My concern is someone that has legitimate
> access to the network purposely or accidentally setting their IP to an
> IP that is already taken and login on to the network and causing
> problems. Obviously this could really be a problem if it is a business
> client and are running some sort of server and someone logs on with that
> IP. Does anyone know of a way to prevent this? If you need more
> details please ask.
> Thank You,
> Chris Raynor
> Network Security
> Mendo Link, LLC
> "An Ounce Of Prevention Is Worth A Pound Of Cure."

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
  • Re: Using Remote Desktop From an SBS Domain
    ... I should say bypassing my server not the router. ... Right click My Network Places...Properties. ... Internet connection, bypassing my SBS/ISA network all together. ... the port number you connect to from 80 to a port of your ...
  • RE: Problems with Permissions
    ... For the "Network Configuration Wizard" not accessible issue, ... The DHCP not working properly issue may due to DNS not correctly ... ipconfig /all on SBS server, ...
  • Re: Setting up dhcp-server on my desktop machine
    ... Your server is configured to use dhcp to acquire a network address? ... I don't know how to setup my interfaces so I achieve my goal. ... Setting up a dhcp server is completely independent of setting up the ...
  • Re: Multiple IP Schemes for Different Buildings
    ... The linksys on your first network stays as it is, ... DHCP broadcast is on the local subnet only, ... router to forward internet traffic to your firewall. ... If each server has it's own DHCP server then I don't need to worry ...