enquiry on validation of dhcp offered addres

ching lsching17 at gmail.com
Tue Apr 24 12:00:58 UTC 2012


On Tuesday, April 24, 2012 02:16 PM, dhcp-users-request at lists.isc.org 
wrote:
>> I will look for other way to prevent routing intranet traffic to outside.
>>
>>> Hang on ... you never said anything about that before !
>>>
>>> If all you are interested in is preventing routing certain traffic
>>> outside of your network then just apply a few firewall rules to block
>>> it. That too is nothing to do with DHCP.
>>>
>> This partially solve the problem as dropping internal traffic can result
>> in a denial of service attack.
> You could add firewall rules to block outbound traffic on your WAN
> interface to addresses that match your internal network. This is called
> anti-spoofing, and is (or used to be) common practise when setting up a
> firewall. So, if someone outside your LAN pretends to have an internal
> IP you ignore that. That's not denial of service, since it's only going
> to block invalid IP destinations.
>

if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid wan 
address 192.168.2.1/255.255.255.128

if firewall is not blocking, then a faked server may be waiting at the 
WAN interface, ready to receive confidential information.
if firewall is blocking, then the real server may have a downtime (all 
192.168.2.2 traffic are routed to WAN interface and then dropped), 
resulting in a denial of service.



More information about the dhcp-users mailing list