[MLB-WIRELESS] another stupid q, about dhcp
Adrian Close
adrian at close.wattle.id.au
Wed Apr 3 20:59:04 EST 2002
On Wed, 3 Apr 2002, rick wrote:
> so then it is possible to stop people "hacking" into networks
In a word, no. Especially not if you mean that as a generic statement!
All you can do is take measures to make it more difficult.
In the case of configuring a DHCP server to only give out leases to
specifically known MAC addresses, you can get around this by:
1. Assigning yourself an address and using the network anyway (DHCP is not
designed as a security tool). Maybe this could be defeated by having the
gateway/router only accept traffic from known MAC addresses, but there's
nothing to stop you...
2. Sniffing the network for a valid MAC address, setting your own MAC
address to the same value and requesting a DHCP lease.
I spent a fair bit of time trying to come up with some kind of trivial but
reasonably strong means of authenticating known clients using existing
features in DHCP in creative ways, but haven't found anything good yet. I
suspect this is mostly because anything you might use as a "token" to
prove the client is a known one as far as the server is concerned, can be
sniffed and reused by a third party (Microsoft, take note).
What is needed if you really want to do this is some cryptographically
good challenge-response thing. IPSEC strikes me as nicely standardised
way of achieving this. Unfortunately IPSEC configuration can be downright
tricky and more importantly, support is not ubiquitous. It is getting
there, but currently as soon as you venture out of open source land you
have to pay extra, which most people will be disinclined to do (unless, of
course, you make it a pre-requisite for connection to your public access
node, at which point people who want to use your node will become quite
interested!).
Of course, from DoS kind of "hacking" perspective, NOTHING will save you
from Tony's 2.4GHz noise generator. ;)
Adrian Close email: adrian at close.wattle.id.au
1 Old Gippsland Rd. web: http://www.close.wattle.id.au/~adrian
Lilydale, VIC, 3140, Australia mobile: +61 412 385 201
Echelon teaser: MD5 RX-7 SSL Kiwi TRD DEADBEEF Bubba
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list