Force DHCP server to assign new IP to client

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Oct 15 08:43:02 UTC 2014


Jeffrey Zheng <jeffreyzheng at live.com> wrote:

> Basically the research is trying to find a way to randomly change clients' IP addresses so that any IP-based attack or reconnaissance might be thwarted, that is why I am looking into the DHCP server to see if I can use it to achieve the goal.

There are two different goals there, although there is some overlap.

1) Attack
Not to put too fine a point on it, you're wasting your time. Unless you have a vast quantity of IP addresses then moving doesn't really help - it's a bit like (to use an Gregory's analogy) moving to another house in the same street, someone wanting to steal your car will easily be able to see it's on the drive two houses down from where it was yesterday !
Also, at work I have the luxury of managing a /24 of public IP space - from the logs it's clear that people don't attack a single IP - when I get an email from fail2ban on one (say) email server, I'll typically see the same alert for the same attacking address from all the others at the same time.

2) Reconnaissance
I very much doubt that changing IP address will do much to help. Various online outfits (Google being the most well known, but not the most aggressive) are very adept at tracking people across dynamic IPs from their ISPs and across different IPs from moving around between networks. As IPv6 starts to pick up momentum, I'm sure they've been "honing their skills" given that everyone using IPv6 is going to be on a network with a minimum of 2^64 addresses on it - and if using privacy addressing, devices will be switching around between a large number of those addresses.

TL;DR version
I think it's a lot of effort from minimal gains. From teh security and privacy POV, there are other avenues to explore which would give better returns.



More information about the dhcp-users mailing list