Concern Around Hackers Using DHCP Pool
-
This is a case of SMBs getting worked up over a real, but totally trivial, concern that just doesn't matter. And spending effort trying to mitigate something totally pointless, when there is so much important stuff that could be done. Is it a threat? Yeah, sure. Does it matter if someone does this to you? no, not in the least. Not in your business, not in a normal business.
Who would do this, it makes no sense.
-
@scottalanmiller said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
@scottalanmiller said in Unifi switch - tagged traffic issues:
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
Conceptually, it wouldn't take much for a whole bunch of devices to request enough DHCP leases that it would prevent legit devices from obtaining a lease. If your guest wifi DHCP server is separate from your production subnet, you mitigate that threat.
That's a pretty sad thing to have to worry about. This can't be a legitimate concern. That would do nothing. A denial of service that no one would even notice.
Actually, there is real potential for someone to notice in my current setup. I only have around 200 IPs in my current pool. Plus I have about 15 people who come in and out of the office legitimately. So if some hacker comes in and steals all of my open IPs, there won't be any left when any of those traveling folks return. And because the idea is to share this range with the public who is changing near hourly, my leases would need to be very short so I don't run out - of course the short leases are helpful in this situation, but nothing stops someone from sitting on my network for a while continuously hogging IPs just to be a jerk.
-
@Dashrender said in Unifi switch - tagged traffic issues:
@scottalanmiller said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
@scottalanmiller said in Unifi switch - tagged traffic issues:
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
Conceptually, it wouldn't take much for a whole bunch of devices to request enough DHCP leases that it would prevent legit devices from obtaining a lease. If your guest wifi DHCP server is separate from your production subnet, you mitigate that threat.
That's a pretty sad thing to have to worry about. This can't be a legitimate concern. That would do nothing. A denial of service that no one would even notice.
Actually, there is real potential for someone to notice in my current setup. I only have around 200 IPs in my current pool. Plus I have about 15 people who come in and out of the office legitimately. So if some hacker comes in and steals all of my open IPs, there won't be any left when any of those traveling folks return. And because the idea is to share this range with the public who is changing near hourly, my leases would need to be very short so I don't run out - of course the short leases are helpful in this situation, but nothing stops someone from sitting on my network for a while continuously hogging IPs just to be a jerk.
This is exactly what I mean. That makes zero sense. And don't call someone taking your IPs a hacker, but that highlights how silly this is. Taking your IPs does effectively nothing to you. It can only be done by someone sitting in your office, it gains them nothing, puts you at no risk and all it does it inconvenience you by needing to release the leases. Whoop-tee-do. Threat level: zero.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
Unifi's guest still uses all the production network services.
What's the concern there?
Licensing could be an issue if you are running Windows DHCP/DNS.
-
@scottalanmiller said:
Threat level: zero.
Incoming Phone Call From Agitated Employee Level: 15
If some device (IOT device, malicious employee, etc) is sitting on his network grabbing every IP address they can, that eventually becomes a Denial of Service attack. While "only" an inconvenience to him and the employee(s) / devices that has to wait on a valid IP address, it still leads to phone calls and agitated users.
If the only cost is my time, I'll choose mitigation every time. Although I agree with your assessment that if you're using a known insecure IOT device on your network, get it off!
-
@brianlittlejohn said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
Unifi's guest still uses all the production network services.
What's the concern there?
Licensing could be an issue if you are running Windows DHCP/DNS.
That was covered in the other thread and makes sense. But doesn't address the "hacking" concern.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@brianlittlejohn said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
Unifi's guest still uses all the production network services.
What's the concern there?
Licensing could be an issue if you are running Windows DHCP/DNS.
That was covered in the other thread and makes sense. But doesn't address the "hacking" concern.
Didn't see the other thread.
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said:
Threat level: zero.
Incoming Phone Call From Agitated Employee Level: 15
It's a small office. And no one would EVER do this. The thread level is totally non-existent.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said:
Threat level: zero.
Incoming Phone Call From Agitated Employee Level: 15
It's a small office. And no one would EVER do this. The thread level is totally non-existent.
So nobody would EVER call if they came into the office and their computer couldn't get on the network?
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
If the only cost is my time, I'll choose mitigation every time. Although I agree with your assessment that if you're using a known insecure IOT device on your network, get it off!
So you'd like to waste your time mitigating a threat that is a million to one would ever happen and has effectively no penalty even if it does happen?
This is the "shoot yourself in the face today to avoid a headache tomorrow" problem. More effort to prevent something than if the thing actually happened - and a thing that has no real world chance of happening.
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said:
Threat level: zero.
Incoming Phone Call From Agitated Employee Level: 15
It's a small office. And no one would EVER do this. The thread level is totally non-existent.
So nobody would EVER call if they came into the office and their computer couldn't get on the network?
No one would EVER attack a network in this way. It's ridiculous to discuss as an attack vector in a small office.
-
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
Sad, but true. I had someone doing this on a network with 8k IP addresses. I also have reason to believe they were causing problems at some of my (formerly) local customers as well (but no proof on their neworks).
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
Sad, but true. I had someone doing this on a network with 8k IP addresses. I also have reason to believe they were causing problems at some of my (formerly) local customers as well (but no proof on their neworks).
And that person was a customer sitting in the office of a small business where everyone involved could see him and could have him arrested? 8K DHCP on a single lease scope seems like a lot.
-
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
School? No. Small local coffee shop? Maybe. (This was one of the local businesses that I supported)
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
School? No. Small local coffee shop? Maybe. (This was one of the local businesses that I supported)
A small local coffee shop had 8K IPs in their DHCP scope? Seriously? It's an off campus student network in a coffee shop?
I'm not following this.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
School? No. Small local coffee shop? Maybe. (This was one of the local businesses that I supported)
A small local coffee shop had 8K IPs in their DHCP scope? Seriously? It's an off campus student network in a coffee shop?
I'm not following this.
I had two clients I am speaking of.
-
A school with 8k IPs on that subnet (where I was able to mitigate what the student was doing) -- as you said, no longer relevant to the discussion.
-
A coffee shop with ~250 IPs on their subnet where I was not able to mitigate what the student was doing (simple Wifi router, lol), and got phone calls a couple of times a week for a while where I reminded them to reboot the AP.
-
