DHCP Security Leak
Simon Hobson
dhcp1 at thehobsons.co.uk
Tue May 1 22:48:48 UTC 2007
guru.bidari at sirvisetti.com wrote:
>In our infrastructure we are using DHCP, with system-defined lease-period
>(24 hours), the IP-address of the pc is refreshed.
>
>We are using one product called as auto print the way it works, we think
>we have a security leak.
>
>After a user scheduled a job and he logged out before the job is finished
>and ftp-ed, it is possible that another user gets that IP-address before
>the output is processed.
>
>This is more of an issue when concurrent request is re-scheduled to run at
>an interval.
>
>So we think that it is a leak that another user on a different pc can get
>the output of that request, because that pc has leased the IP-address now.
I don't think you have a problem.
Firstly, most PCs do not release their leases when you shut them
down, hence it still has the address allocated to it for typically a
minimum of another 12 hours. This in itself is sufficient to ensure
that the address isn't given to another client for a while.
Even after the lease has expired, the DHCP server will not
immediately reallocate the address - unless you REALLY are very short
of addresses in which case you will have other problems. As long as
other addresses are available, then they will be offered (it's a
least recently used algorithm).
Lastly, how does this feedback work ? Typically I would expect to see
the client open a TCP connection, send the data and receive any
feedback, close the connection. Once the connection is closed then no
more data will be returned by the print unit. Should another client
take over the IP address, then any open connections will fail because
port numbers and sequence numbers will not match. Of course, for a
client to leave without closing the connection means that it has been
improperly shut down (network cable unplugged, power turned off
without OS shutdown) which means that it will NOT have released it's
lease.
So, I don't think you have a problem to solve. If I have
misunderstood your process, then please explain further.
More information about the dhcp-users
mailing list