Deny DHCP Address by MAC?

Glenn Satchell glenn.satchell at uniq.com.au
Sat Jul 17 11:24:36 UTC 2010 

The other way is to use a host statement, eg:

host "black1" {
     hardware ethernet 00:12:ba:1d:c1:b7;
     ignore booting;
}

I thought the difference between ignore and deny booting was that deny 
booting logs a message each time the client requests an address. If the 
client requests frequently this could fill your log file pretty quickly.

Note that the user can still manually configure an Ip address, so this 
is not a perfect solution.

regards,
-glenn

On 07/17/10 06:38, Jeff Wieland wrote:
> What we usually do is to create a class called something like "black-hole",
> and then use subclasses to match on it. Something like:
>
> class "black-hole" {
> match substring (hardware, 1, 6);
> # deny booting;
> ignore booting;
> }
> subclass "black-hole" 00:12:ba:1d:c1:b7;
> subclass "black-hole" 00:12:df:b6:7b:e7;
>
> You can have as many of the "subclass" statements as you need. This uses an
> ignore booting command, which causes dhcpd to do nothing when it see that
> MAC address. If you comment out the "ignore booting" and uncomment the
> "deny booting", it will send an DHCPNAK (IIRC) to the client instead.
>
> Tim Evans wrote:
>> A .EDU with insecure offices, network outlets, and labs, is trying to
>> track down a rogue DHCP client on their network that also happens to
>> be infected with conficker.
>>
>> They have a completely open DHCP setup (this is the entire dhcpd.conf
>> file):
>>
>> ddns-update-style ad-hoc;
>> authoritative;
>> subnet 192.168.9.0 netmask 255.255.255.0 {
>> range 192.168.9.125 192.168.9.200;
>> option subnet-mask 255.255.255.0;
>> option broadcast-address 192.168.9.255;
>> option routers 192.168.9.1;
>> option domain-name-servers 192.168.9.4;
>> option domain-name "xxx.xxx.xxx";
>> }
>>
>> Any connected machine can get an address from the range specified in
>> the config file. Bouncing this one's lease merely results in it
>> getting a new one.
>>
>> They know the rogue machine's MAC address, of course. Can they deny it
>> a DHCP address based only on the MAC? How? Thanks.
>
>

More information about the dhcp-users mailing list