Deny DHCP Address by MAC?

Jeff Wieland wieland at purdue.edu
Sat Jul 17 15:14:15 UTC 2010 

Glenn, you're right.  Darn my nearly 50-year-old memory anyway :-).

Glenn Satchell wrote:
> The other way is to use a host statement, eg:
>
> host "black1" {
>     hardware ethernet 00:12:ba:1d:c1:b7;
>     ignore booting;
> }
>
> I thought the difference between ignore and deny booting was that deny 
> booting logs a message each time the client requests an address. If 
> the client requests frequently this could fill your log file pretty 
> quickly.
>
> Note that the user can still manually configure an Ip address, so this 
> is not a perfect solution.
>
> regards,
> -glenn
>
> On 07/17/10 06:38, Jeff Wieland wrote:
>> What we usually do is to create a class called something like 
>> "black-hole",
>> and then use subclasses to match on it. Something like:
>>
>> class "black-hole" {
>> match substring (hardware, 1, 6);
>> # deny booting;
>> ignore booting;
>> }
>> subclass "black-hole" 00:12:ba:1d:c1:b7;
>> subclass "black-hole" 00:12:df:b6:7b:e7;
>>
>> You can have as many of the "subclass" statements as you need. This 
>> uses an
>> ignore booting command, which causes dhcpd to do nothing when it see 
>> that
>> MAC address. If you comment out the "ignore booting" and uncomment the
>> "deny booting", it will send an DHCPNAK (IIRC) to the client instead.
>>
>> Tim Evans wrote:
>>> A .EDU with insecure offices, network outlets, and labs, is trying to
>>> track down a rogue DHCP client on their network that also happens to
>>> be infected with conficker.
>>>
>>> They have a completely open DHCP setup (this is the entire dhcpd.conf
>>> file):
>>>
>>> ddns-update-style ad-hoc;
>>> authoritative;
>>> subnet 192.168.9.0 netmask 255.255.255.0 {
>>> range 192.168.9.125 192.168.9.200;
>>> option subnet-mask 255.255.255.0;
>>> option broadcast-address 192.168.9.255;
>>> option routers 192.168.9.1;
>>> option domain-name-servers 192.168.9.4;
>>> option domain-name "xxx.xxx.xxx";
>>> }
>>>
>>> Any connected machine can get an address from the range specified in
>>> the config file. Bouncing this one's lease merely results in it
>>> getting a new one.
>>>
>>> They know the rogue machine's MAC address, of course. Can they deny it
>>> a DHCP address based only on the MAC? How? Thanks.
>>
>>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>


-- 
          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITN&S Data Networks
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)494-6620        |   West Lafayette, IN 47907-2115

More information about the dhcp-users mailing list