enquiry on validation of dhcp offered addres

ching lsching17 at gmail.com
Tue Apr 24 23:49:44 UTC 2012


On Tuesday, April 24, 2012 09:50 PM, dhcp-users-request at lists.isc.org wrote:
> On 04/24/12 22:00, ching wrote:
>> > On Tuesday, April 24, 2012 02:16 PM, dhcp-users-request at lists.isc.org
>> > wrote:
>>>> >>> I will look for other way to prevent routing intranet traffic to
>>>> >>> outside.
>>>> >>>
>>>>> >>>> Hang on ... you never said anything about that before !
>>>>> >>>>
>>>>> >>>> If all you are interested in is preventing routing certain traffic
>>>>> >>>> outside of your network then just apply a few firewall rules to block
>>>>> >>>> it. That too is nothing to do with DHCP.
>>>>> >>>>
>>>> >>> This partially solve the problem as dropping internal traffic can result
>>>> >>> in a denial of service attack.
>>> >> You could add firewall rules to block outbound traffic on your WAN
>>> >> interface to addresses that match your internal network. This is called
>>> >> anti-spoofing, and is (or used to be) common practise when setting up a
>>> >> firewall. So, if someone outside your LAN pretends to have an internal
>>> >> IP you ignore that. That's not denial of service, since it's only going
>>> >> to block invalid IP destinations.
>>> >>
>> >
>> > if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid wan
>> > address 192.168.2.1/255.255.255.128
>> >
>> > if firewall is not blocking, then a faked server may be waiting at the
>> > WAN interface, ready to receive confidential information.
>> > if firewall is blocking, then the real server may have a downtime (all
>> > 192.168.2.2 traffic are routed to WAN interface and then dropped),
>> > resulting in a denial of service.
>> >
> So the traffic would be blocked to the fake external server. That's what 
> you want isn't it?
>
> If your WAN interface is re-configured with 192.168.2.1 then unless the 
> whole ISP network routing changes then no traffic will be able to get 
> out to the Internet anyway.
>
> You could also add outbound firewall rules blocking NFS, Microsoft SMB 
> ports and the like, which should never need to go outside your network.
>
> But this is straying far from the topic of the DHCP list I think.
>
> regards,
> -glenn

my goal is to protect intranet traffic. Neither information leakage nor service interruption is expected.


More information about the dhcp-users mailing list