It's possible to prevent rogue DHCP servers... The same defences would work against the PXE boot attack.
You can either configure QoS on your switches to drop DHCP responses from end-users, or you can configure DHCP snooping. -Dave > -----Original Message----- > From: [email protected] [mailto:pauldotcom- > [email protected]] On Behalf Of Mike Patterson > Sent: Monday, January 16, 2012 10:11 AM > To: [email protected] > Subject: Re: [Pauldotcom] pixieboot attack > > On 12-01-16 4:38 AM, Robin Wood wrote: > > Has anyone done this? Do organisations use PXE boot on network > machines? > > I've thought about it, mostly from the "how to prevent it" perspective. > The most feasible answer I came up with is "hope it doesn't happen." > > I don't know about other organisations, but some places I've worked use > it. They tend to enable it only for machine installation, and disable > it again afterwards. The one group I was with that made heavy use, we > had a separate VLAN just for this. Enable PXE, change the VLAN, boot / > reinstall, disable PXE, change the VLAN back. > > I don't know what might break if you blocked the bits that PXE needs to > properly work on non-"reinstall" networks, but that could be a > mitigation. > > Mike > > -- > Imagine what medieval peasants would say if you could explain to them > the stuff that people waste most of their time worrying about these > days. - David Morgan-Mar > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
