[Novalug] Question

Scott Musman musman@aug-sys.com
Sun Mar 1 18:26:17 EST 2009


Malware such as worms can use the "sequential" nature of DHCP address
assignments during their targeting phase to help locate new victim
machines.  One way to level the field, actually, is to allocate a larger
space (i.e. /16 rather than /8) have your DHCP assign addresses randomly
within it. 

It's kinda a stupid trick, but it means that for malware, finding a new
machine is essentially becomes a random guessing operation, which both
makes it harder, and also allows certain sensors such as black-hole
sensors, tarpits, honeypots and the like to be more effective.

Just a thought,

	- Scott

On Sun, 2009-03-01 at 17:27 -0500, Maxwell Spangler wrote:
> On Sun, 2009-03-01 at 11:29 -0500, Dan Arico wrote:
> > Something struck me a little while ago so let me ask:
> > 
> > Is there any reason I can't mix DHCP and fixed addresses on the same network 
> > providing all the addresses are on the same subnet and the DHCP server limits 
> > the addresses it provides to something outside the range of the fixed 
> > addresses?
> 
> As long as you don't let two devices try to use the same ip address, the
> devices and network won't care whether they received their assignments
> via dhcp or static configuration files.
> 
> I'm an orderly person so when I setup networks for the first time I like
> to enforce schemes on them like this:
> 
> 192.168.1.1 gateway router
> 192.168.1.2 - 9 other routers
> 192.168.10-19 servers
> 192.168.20-29 printers
> 192.168.30-39 network based devices such as point of sale touchscreens
> 192.168.50-99 pre-assigned devices to be served by dhcp
> 192.168.100-200 open, dynamic devices to be served by dhcp
> 
> I might tell the DHCP server to recognize my laptop's ethernet cable and
> always assign it .50, it's wireless address and always assign it .51.
> Elsewhere I can add an additional layer of security to some things by
> only allowing access to some data or functions if the requested
> connection is my wired laptop.  This should never be the only kind of
> security for access, but more layers makes it less likely someone will
> make the required efforts to do something you want to prevent.
> 




More information about the Novalug mailing list