On Fri, May 17, 2002 at 02:48:58PM -0700, Akop Pogosian wrote: > I am wondering what is the correct way to restrict connections to the > dhcp server to come only from trusted subnets assuming that I don't > have administrative access to the routers and the server connects > directly to all trusted subnets. I am trying to use these rules: > > iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p tcp --sport 68 --dport 67 -j ACCEPT > iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p udp --sport 68 --dport 67 -j ACCEPT
> My question is, is it possible for an attacker who comes from outside > of the trusted subnets to which dhcp server connects directly to spoof > the IP source address to look like 0.0.0.0 in order to run an exploit > on dhcpd? If yes, how can I prevent this? Akop, yes, an attacker can spoof a source 0.0.0.0 in order to attack your dhcp server, and generally, the only way to prevent this is some level of sanity checking IPs based on the _interfaces_ the packet came in through. e.g., if your dhcp server has two NICs: eth0 is connected to the untrusted network eth1 is connected to trusted subnet you would want as some very early rules to block packets with source 0.0.0.0 from entering on interface eth0. You would block similarly source 255.255.255.255, sources 10.x.x.x, or 172..xx.x or 192.168.x.x from entering on eth0, if the untrusted network would always have valid routable IPs, or perhaps require IPs in one of those ranges if the network connected to eth0 has IPs in only that range. Unfortunately, I don't know the iptables rule language, so I can't give you rules directly :) but I'm hoping it shouldn't be too hard to figure out from here. Cheers :) -- http://www.wirex.com/
msg00293/pgp00000.pgp
Description: PGP signature
