[Rack] [Noisebridge-discuss] network down this afternoon, an interesting guide for people who want to help when the network goes down

Jonathan Lassoff jof at thejof.com
Tue Jun 5 17:01:13 PDT 2012


On Tue, Jun 5, 2012 at 3:38 PM, Nick Owens <mischief at offblast.org> wrote:
> Can't we whitelist the real dhcp server on udp port 68, and drop packets on
> the lan whose source port is 68 and not on the whitelist?

This kind of filtering is exactly what DHCP snooping was made for.

It takes this idea a step further and selectively filters UDP
destination_port = 68 destination_port = 67 traffic and follows the
state of a DHCP DISCOVER, OFFER, REQUEST, ACK protocol flow.

It filters any OFFERs, or ACKs from ports that are not marked as "trusted".
An administrator then marks any ports on the switch that could
possibly follow a path back to a DHCP server, so that traffic along
that path is allowed to be forwarded to clients.

With the information garnered from that exchange, some switches also
go a step further and dynamically inspect ARP requests / responses to
block any ARP spoofing requests.
The one downside to this is that any statically-addressed things also
need to get added to the switch or need to obtain/bind their IPs with
static DHCP leases on the server.


I think we ought to take the first step and do some DHCP snooping /
filtering, to prevent any rogue servers showing up.

Cheers,
jof
>
> On Tue, Jun 5, 2012 at 3:27 PM, John Adams <jna at retina.net> wrote:
>>
>> One thing that we do is to put a blanket ACL across untrusted networks.
>>
>> Block UDP 0.0.0.0/0 port 67 and port 68 from your LANs and from any source
>> that shouldn't be offering DHCP.
>>
>> -john
>>
>> On Tue, Jun 5, 2012 at 1:40 PM, Jonathan Lassoff <jof at thejof.com> wrote:
>>>
>>> On Tue, Jun 5, 2012 at 12:44 PM, Ben Kochie <ben at nerp.net> wrote:
>>> > We could easily separate some of the services off of the one NAT box.
>>> >
>>> > I've thought about setting up a synced virtual router on stallion using
>>> > failoverd and vyatta's NAT state sync.
>>> >
>>> > It would also possibly make sense to put the local DHCP/DNS services on
>>> > a
>>> > separate instance from the NAT handling.  We can easily do this with
>>> > some
>>> > virtual machines on stallion.  Or we could move some of these services
>>> > to
>>> > minotaur.
>>>
>>> I think there is some value to keeping all of the network functions on
>>> something that is mounted to the "Wall-O-Tubes". This way, there is a
>>> clear distinction as to what hardware is the bare-minimum necessary to
>>> keep basic services working.
>>>
>>> Perhaps we could:
>>>  - add another soekris or atom board
>>>  - Wire up some 2.4 Ghz APs to the W.O.T. (there is/was a 5 ghz one)
>>>  - Setup all downstream distribution through that Juniper EX, setup
>>> DHCP-based port security protections
>>
>>
>>
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>


More information about the Rack mailing list