On Wed, Oct 27, 2004 at 04:29:34PM +1000, Howard Lowndes wrote: > If you are running a DHCP server on a network and have a block of IP > addresses which you make available, how can you stop a (reasonably) > knowledgeable luser from explicitly grabbing an address from that block > by explicitly configuring their box with that address, thus preventing > that IP address from being recorded in the leases, and hence you not > immediately knowing that that box has been attached to the network.
Remove the network card from their computer, or if it's onboard, filling the RJ-45 connector with epoxy. Especially effective for lapdogs. Practically speaking, there is no way to stop them if they have physical access to the network and/or administrative access to the machine, unless you have an intelligent switch which is capable of being told "only let DHCP traffic through by default", then getting the DHCP server to change the ACL on the port for the requestor MAC address after successful DHCP lease assignment. Yes, those sorts of switches are expensive. You can buy a lot of Araldite for that. The problem is that your average dumb switch doesn't do any sort of restriction at the LAN level, and that's as high as you need to get to cause problems with conflicting IP addresses. Useful tools for tracking down and killing this type of luser are things like arpwatch, which notify you if they see a MAC address they haven't seen before, and I presume you could extend the tool (or someone's probably already done it) to be able to cross-check leases with what they see, and notify you in the event of a mismatch. That still leaves you with the job of manually tracking them down and beating their computer to a pulp, but at least the tricky part of the job (diagnosing the problem) can be automated. I'm thankful I don't administer that sort of environment any more... - Matt
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
