Vulnerability Development mailing list archives

Re: DHCP and Security

From: techs () OBFUSCATION ORG (Erik Fichtner)
Date: Fri, 4 Feb 2000 00:51:57 -0500


On Thu, Feb 03, 2000 at 01:16:08PM -0500, Nitzenberger, Rob, MSgt, AF/XORR wrote:

but with DHCP (which is the method of choice for our sys admin types), it
has proven difficult to "map" an IP address back to a specific user... lease
times expire, inadequate event logging..etc.

 How can I configure DHCP to balance the need for security with the wishes
of the sys admin folks?  Any Ideas?


While it's an administrative hassle, one can configure DHCP such that it
only hands out an address to a known MAC address.   You can then keep
track of MAC addresses of systems in a known central location (make 'em
sign some paperwork or something before their system will work).  From
there, it's a no-brainer to scavenge the dhcpd.leases file to retreive the
corresponding IP lease that matches up to a MAC address. [2]   Of course,
you mention that leases expire and get renewed. Yeah. they do.  Several
silly thoughts come to mind here.. The simplest of which is to simply
modify the dhcp server so that it has an audit log of the ip and mac
address as it assigns them.   Or, if your IP space permits it (3200 users
is a lot, though) you could static IP them and basically turn it into a
gory bootp replacement.   At this point, I might experiment with allowing
a small set of ips (2 or 3) per MAC address on a shared-subnet, so you can
minimize IP collision.  Just a completely out-of-my-posterior idea and I
don't know that it'll work.

I'd probably just go with hacking a couple lines of code into the ISC DHCP
server to create an audit log. (syslog() when you get into the routine
that would be writing a new lease out to the dhcpd.leases file. cake.)

[1] I'm working under the assumption that you have a small number of them and
you're using helper-addresses on your routers to shovel the requests from
subnet to subnet.   you could also mass distribute the dhcpd.conf file to
your dhcp servers..

[2] We currently have some badly written scripts that do this in addition
to banging their way through a big pile of switches and routers chasing the
MAC address down to an ultimate switch port number so we can identify the
user in space.  Kinda neat.

--
Erik Fichtner; Warrior SysAdmin (emf|techs)                       34.9908%
http://www.obfuscation.org/~techs      N 38 53.055'  W 77 21.860'  764 ft.
       "What's the most effective Windows NT remote management tool?"
          "A car."  --  Stephen Northcutt

Current thread:

Re: distributed.net and seti@home, (continued)
- - - Re: distributed.net and seti@home Kerneels (Feb 02)
    - Re: distributed.net and seti@home Granquist, Lamont (Feb 03)
    - Re: distributed.net and seti@home Steffen Zahn (Feb 04)
    - Possible DHCP DOS attack Paul Keefer (Feb 02)
    - Re: Possible DHCP DOS attack Sebastian Andersson (Feb 02)
    - Re: Possible DHCP DOS attack Eric Hacker (Feb 03)
    - Re: Possible DHCP DOS attack C.J. Oster (Feb 03)
    - Re: Possible DHCP DOS attack Erik Fichtner (Feb 03)
    - Re: Possible DHCP DOS attack Matthew S. Hallacy (Feb 03)
    - DHCP and Security Nitzenberger, Rob, MSgt, AF/XORR (Feb 03)
    - Re: DHCP and Security Erik Fichtner (Feb 03)
    - Re: DHCP and Security Seth R Arnold (Feb 04)
    - Re: DHCP and Security Jeff Bachtel (Feb 05)
    - Re: Possible DHCP DOS attack Michal Zalewski (Feb 03)
    - Re: Possible DHCP DOS attack Blue Boar (Feb 03)
- Re: distributed.net and seti@home Oliver Friedrichs (Feb 02)
  - Re: distributed.net and seti@home Andrew Brown (Feb 02)
- Re: distributed.net and seti@home Meij Ewout MSM AD CH (Feb 04)