Giving things an IP address is dangerous (to them)

January 25, 2022

We run a DHCP server for those of our internal 'sandbox' networks that are interested in assigning IPs that way (some people prefer static allocation). Most of those networks only give static IPs to already known machines, without an 'open' pool of IP addresses for unknown ones. One entirely predictable result of this (when combined with our variegated user population) is a certain number of unknown machines on various of these networks that are forever plaintively broadcasting to ask for an IP address, often pretty frequently. One annoying effect of this is a lot of clutter in our DHCP server logs.

Every so often when I look at the logs and see the clutter, I once again have the clever idea of just adding some dummy DHCP entries for the more prolific of these machines. It would be easy enough to hand out completely unroutable IP addresses to these machines, ones that aren't even on the network's subnet and that the firewall would block anyway. Since there aren't all that many of these machines, we could theoretically even give each of them their own little /28 or so with nothing else on it. This would at least get them to shut up and de-clutter our DHCP logs so that we have a better chance of seeing useful information and genuine issues.

Then I think a bit more and toss this clever idea out the window (again).

The problem with this clever idea is that giving random things an IP address is dangerous, and not just to other things on your network. Once something has an IP address, other things with an IP address can now find it and talk to it. It doesn't necessarily matter that those other machines are nominally on a different network; that can be worked around in various ways, possibly even accidentally (considering various forms of broadcast, multicast, and so on). By putting these machines on off-subnet IP addresses, we would also make them stand out like a sore thumb to anything looking for anomalies. One they had an IP address, it's very likely that these machines would send out various sorts of traffic that would make them visible, and even if they don't do anything else they will periodically renew their DHCP leases, exposing themselves via that traffic.

What makes this more dangerous is that it's likely that these are neglected devices, ones that no one even thinks have an IP (or are supposed to have one). People tend to notice when their actual servers need an IP and don't have one; they may not even know that their network switches, the IPMIs of their servers, and other miscellany are all asking to get on the network too. Many of these devices probably have default logins and passwords, alarming security holes, or both, and some of them create security vulnerabilities in other machines (most obviously IPMIs for servers). These are some of the last thing that we should be casually putting on the network with an IP address so that random people can talk to them.

Written on 25 January 2022.
« Go generics are going to be both simple and complex (as of Go 1.18)
Django and Apache HTTP Basic Authentication (and REMOTE_USER) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jan 25 21:37:30 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.