Re: Requisições no firewall
On Mon, 23 Dec 2013, Mauricio S. T. Neto wrote:
> Me corrija se eu estiver errado, mas no log abaixo o servidor DHCP
> esta enviando broadcast para a porta 68 e quem envia o broadcast é a
> estação cliente com uma mensagem do tipo DHCDISCOVER. O servidor
Dá uma olhada nos parágrafos finais da seção 4.1 do RFC2131:
A client that cannot receive unicast IP datagrams until its protocol
software has been configured with an IP address SHOULD set the
BROADCAST bit in the 'flags' field to 1 in any DHCPDISCOVER or
DHCPREQUEST messages that client sends. The BROADCAST bit will
provide a hint to the DHCP server and BOOTP relay agent to broadcast
any messages to the client on the client's subnet. A client that can
receive unicast IP datagrams before its protocol software has been
configured SHOULD clear the BROADCAST bit to 0. The BOOTP
clarifications document discusses the ramifications of the use of the
BROADCAST bit [21].
A server or relay agent sending or relaying a DHCP message directly
to a DHCP client (i.e., not to a relay agent specified in the
'giaddr' field) SHOULD examine the BROADCAST bit in the 'flags'
field. If this bit is set to 1, the DHCP message SHOULD be sent as
an IP broadcast using an IP broadcast address (preferably 0xffffffff)
as the IP destination address and the link-layer broadcast address as
the link-layer destination address. If the BROADCAST bit is cleared
to 0, the message SHOULD be sent as an IP unicast to the IP address
specified in the 'yiaddr' field and the link-layer address specified
in the 'chaddr' field. If unicasting is not possible, the message
MAY be sent as an IP broadcast using an IP broadcast address
(preferably 0xffffffff) as the IP destination address and the link-
layer broadcast address as the link-layer destination address.
Não temos informação suficiente para supor que é ataque, pode ser uma
implementação de server/relay meia boca (que sempre envia para broadcast),
ou uma implementação completa interagindo com cliente meia boca (que só
recebe broadcast até o DHCPACK).
Ataque DHCP normalmente você detecta pelo MAC origem diferente do MAC
esperado, ou pelo conteúdo das mensagens de autoconfiguração (contendo
rotas, DNS ou WINS diferentes do esperado).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: