[lug] securing DHCP

D. Stimits stimits at idcomm.com
Tue Aug 13 17:05:16 MDT 2002 

Brian Jarrett wrote:
> On Tue, 13 Aug 2002 16:05:34 -0600 "D. Stimits" <stimits at idcomm.com> wrote:
> 
> 
>>It looks like DHCP, as used by AT&T cable
>>modems, might need both ports 
>>67 and 68, UDP and TCP, available. I am on the
>>local network, and seeing 
>>  (prior to completed cable modem install, the
>>modem is there, but not 
>>all parts of it have been activated by AT&T
>>yet) DHCP broadcasts from 
>>source 0.0.0.0:68 to 255.255.255.255:67. This
>>might just be a stupid 
>>windows-ism frmo the win2k machine that is
>>sitting on the net, or it 
>>might be from the AT&T cable modem. Regardless
>>of source, does anyone 
>>know if the AT&T cable or DSL modems allow
>>blocking of all sources 
>>except perhaps one DHCP server address? Or am I
>>going to have to leave 
>>it open in the firewall for source 0.0.0.0 and
>>destination 
>>255.255.255.255? I had thought this would be
>>something like a 
>>nameserver, where I could add a known DHCP
>>server address, and not leave 
>>it open to 0.0.0.0 broadcasts. Then again,
>>0.0.0.0 is probably not 
>>routable, and it probably can be guaranteed to
>>come from the cable modem 
>>service. Does anyone have any general advice on
>>ports and firewalling 
>>under DHCP, when there will be different
>>windows and different linux 
>>machines on the net?
>>
> 
> I'm not quite sure I understand the question, but I can tell you with a great
> degree of certainty that the packet you describe is coming from a machine
> wanting a DHCP address.  If you look at the MAC address of the source you
> should be able to pinpoint where the packet is coming from.  DHCP clients
> always send a packet out to 255.255.255.255 when negotiating an IP address
> with the DHCP server.  Once the Discover, Offer, Reply and Acknowledge packets
> are transferred over the net, the client has it's IP address.  
> 
> Are you concerned about clients on AT&Ts network trying to get an IP from your
> local DHCP server?  I don't have any knowledge of their cable modems, but DHCP
> usually doesn't get from one subnet to another without a ProxyDHCP server. 
> Hope this helps in some way.

Yes, this is useful. It tells me why I am seeing the broadcasts. I now 
wonder if the machine doing the reply will also be on a 0.0.0.0 
broadcast, or if it will show itself with a specific IP...therefore if 
it does show a specific IP, and can close the proper port down on input 
chain for all IP addresses other than the DHCP server I trust (if the 
DHCP server replies from 0.0.0.0, then I can still close the port to 
other than 0.0.0.0). I am guessing I cannot close it down any more than 
to allow 0.0.0.0 source/255.255.255.255 destination, and deny others. In 
essence, I simply want all port scans from non-AT&T machines to never 
see my DHCP ports as open.

D. Stimits, stimits AT idcomm.com

More information about the LUG mailing list