enquiry on validation of dhcp offered addres
lsching17 at gmail.com
Tue Apr 24 12:00:58 UTC 2012
On Tuesday, April 24, 2012 02:16 PM, dhcp-users-request at lists.isc.org
>> I will look for other way to prevent routing intranet traffic to outside.
>>> Hang on ... you never said anything about that before !
>>> If all you are interested in is preventing routing certain traffic
>>> outside of your network then just apply a few firewall rules to block
>>> it. That too is nothing to do with DHCP.
>> This partially solve the problem as dropping internal traffic can result
>> in a denial of service attack.
> You could add firewall rules to block outbound traffic on your WAN
> interface to addresses that match your internal network. This is called
> anti-spoofing, and is (or used to be) common practise when setting up a
> firewall. So, if someone outside your LAN pretends to have an internal
> IP you ignore that. That's not denial of service, since it's only going
> to block invalid IP destinations.
if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid wan
if firewall is not blocking, then a faked server may be waiting at the
WAN interface, ready to receive confidential information.
if firewall is blocking, then the real server may have a downtime (all
192.168.2.2 traffic are routed to WAN interface and then dropped),
resulting in a denial of service.
More information about the dhcp-users