Re: Requisições no firewall

To: "Mauricio S. T. Neto" <mstneto@gmail.com>
Cc: debian-user-portuguese@lists.debian.org
Subject: Re: Requisições no firewall
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Tue, 24 Dec 2013 09:55:09 -0200
Message-id: <[🔎] 20131224115508.GA330@khazad-dum.debian.net>
In-reply-to: <[🔎] 52B8DC79.1060806@gmail.com>
References: <[🔎] 52B74AC2.704@gmail.com> <[🔎] 20131222233645.GB11975@khazad-dum.debian.net> <[🔎] 52B8DC79.1060806@gmail.com>

On Mon, 23 Dec 2013, Mauricio S. T. Neto wrote:
> Me corrija se eu estiver errado, mas no log abaixo o servidor DHCP
> esta enviando broadcast para a porta 68 e quem envia o broadcast é a
> estação cliente com uma mensagem do tipo DHCDISCOVER. O servidor

Dá uma olhada nos parágrafos finais da seção 4.1 do RFC2131:

   A client that cannot receive unicast IP datagrams until its protocol
   software has been configured with an IP address SHOULD set the
   BROADCAST bit in the 'flags' field to 1 in any DHCPDISCOVER or
   DHCPREQUEST messages that client sends.  The BROADCAST bit will
   provide a hint to the DHCP server and BOOTP relay agent to broadcast
   any messages to the client on the client's subnet.  A client that can
   receive unicast IP datagrams before its protocol software has been
   configured SHOULD clear the BROADCAST bit to 0.  The BOOTP
   clarifications document discusses the ramifications of the use of the
   BROADCAST bit [21].

   A server or relay agent sending or relaying a DHCP message directly
   to a DHCP client (i.e., not to a relay agent specified in the
   'giaddr' field) SHOULD examine the BROADCAST bit in the 'flags'
   field.  If this bit is set to 1, the DHCP message SHOULD be sent as
   an IP broadcast using an IP broadcast address (preferably 0xffffffff)
   as the IP destination address and the link-layer broadcast address as
   the link-layer destination address.  If the BROADCAST bit is cleared
   to 0, the message SHOULD be sent as an IP unicast to the IP address
   specified in the 'yiaddr' field and the link-layer address specified
   in the 'chaddr' field.  If unicasting is not possible, the message
   MAY be sent as an IP broadcast using an IP broadcast address
   (preferably 0xffffffff) as the IP destination address and the link-
   layer broadcast address as the link-layer destination address.

Não temos informação suficiente para supor que é ataque, pode ser uma
implementação de server/relay meia boca (que sempre envia para broadcast),
ou uma implementação completa interagindo com cliente meia boca (que só
recebe broadcast até o DHCPACK).

Ataque DHCP normalmente você detecta pelo MAC origem diferente do MAC
esperado, ou pelo conteúdo das mensagens de autoconfiguração (contendo
rotas, DNS ou WINS diferentes do esperado).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Requisições no firewall
  - From: "Mauricio S. T. Neto" <mstneto@gmail.com>

References:
- Requisições no firewall
  - From: "Mauricio S. T. Neto" <mstneto@gmail.com>
- Re: Requisições no firewall
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Requisições no firewall
  - From: "Mauricio S. T. Neto" <mstneto@gmail.com>

Prev by Date: Re: Requisições no firewall
Next by Date: Re: Requisições no firewall
Previous by thread: Re: Requisições no firewall
Next by thread: Re: Requisições no firewall
Index(es):
- Date
- Thread