Concern Around Hackers Using DHCP Pool
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
School? No. Small local coffee shop? Maybe. (This was one of the local businesses that I supported)
A small local coffee shop had 8K IPs in their DHCP scope? Seriously? It's an off campus student network in a coffee shop?
I'm not following this.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
And taking up 8K IPs addresses had no effect but to cause a momentary inconvenience that only took a minute to fix?
Not after I fixed the issue.
And yes, 8k was a lot. This one was a student network, so he could have been anywhere on campus doing it.
The off campus places he was doing it to were small shops and yes he could have been caught. Fortunately for him, he was not.
A school is not comparable to a small medical office. Clearly this isn't applicable to the case at hand.
School? No. Small local coffee shop? Maybe. (This was one of the local businesses that I supported)
A small local coffee shop had 8K IPs in their DHCP scope? Seriously? It's an off campus student network in a coffee shop?
I'm not following this.
I had two clients I am speaking of.
-
A school with 8k IPs on that subnet (where I was able to mitigate what the student was doing) -- as you said, no longer relevant to the discussion.
-
A coffee shop with ~250 IPs on their subnet where I was not able to mitigate what the student was doing (simple Wifi router, lol), and got phone calls a couple of times a week for a while where I reminded them to reboot the AP.
-
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
Even if they did, just shut the guest network off then. Essentially one click of the mouse and it's done. I still don't see the point of a whole separate VLAN because if someone does it there you will still have to do the same thing.
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
I had two clients I am speaking of.
-
A school with 8k IPs on that subnet (where I was able to mitigate what the student was doing) -- as you said, no longer relevant to the discussion.
-
A coffee shop with ~250 IPs on their subnet where I was not able to mitigate what the student was doing (simple Wifi router, lol), and got phone calls a couple of times a week for a while where I reminded them to reboot the AP.
I see. But I'd still say that random people at a coffee shop are not similar to guests in a medical office. It's not socially related. Someone "wanting to mess with some wifi" would target a coffee shop where the wifi is a big deal and part of the business. The guest wifi in a medical office is just a bonus for people, no one is getting medical attention just to sit and use the wifi while waiting.
I'm going to go with "still not applicable", but it is closer at least. But have some empathy for the people in the situation here - absolutely no one is ever (and maybe has never in the history of the Internet) bothered to attack a small medical office in this way.
-
-
@stacksofplates said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
Even if they did, just shit the guest network off then. Essentially one click of the mouse and it's done. I still don't see the point of a whole separate VLAN because if someone does it there you will still have to do the same thing.
Yeah, separating them still leaves both networks open for attack. If someone attacks the guest network, you have to deal with that the same. And if something goes wrong or an internal user attacks the main network, that's still got the problem. I don't see any real risk mitigation, just time being spent to make things more complex.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@stacksofplates said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
Everyone truly believes that customers of a doctor's office will sit in the office, and knowing that they are doing something that will hurt no one and have no useful effect, take the time to try to tie up IP addresses? I'm lost, what motivation do you think people have for this? Why would someone do this? How many of you have seen people do this in the real world?
Even if they did, just shit the guest network off then. Essentially one click of the mouse and it's done. I still don't see the point of a whole separate VLAN because if someone does it there you will still have to do the same thing.
Yeah, separating them still leaves both networks open for attack. If someone attacks the guest network, you have to deal with that the same. And if something goes wrong or an internal user attacks the main network, that's still got the problem. I don't see any real risk mitigation, just time being spent to make things more complex.
Interesting typo I made there
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
I think were @Dashrender is going is that if you use the Unifi guest service and it's using your production DHCP and DNS servers, and then those devices get hacked, they can take down your production DNS/DHCP servers. If they are on their own VLAN and using their own DHCP/DNS servers, yuo are mitigating some of that threat.
This exactly - and just to clarify a tiny bit - the bits getting hacked are the IOT/guest network devices, not DHCP/DNS.
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
It's been proven to happen, yes. This is exactly what hit that university.
-
@travisdh1 said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
I think were @Dashrender is going is that if you use the Unifi guest service and it's using your production DHCP and DNS servers, and then those devices get hacked, they can take down your production DNS/DHCP servers. If they are on their own VLAN and using their own DHCP/DNS servers, yuo are mitigating some of that threat.
This exactly - and just to clarify a tiny bit - the bits getting hacked are the IOT/guest network devices, not DHCP/DNS.
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
It's been proven to happen, yes. This is exactly what hit that university.
You're making my point. Clearly there is no threat, at all, to a medical office.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@travisdh1 said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
I think were @Dashrender is going is that if you use the Unifi guest service and it's using your production DHCP and DNS servers, and then those devices get hacked, they can take down your production DNS/DHCP servers. If they are on their own VLAN and using their own DHCP/DNS servers, yuo are mitigating some of that threat.
This exactly - and just to clarify a tiny bit - the bits getting hacked are the IOT/guest network devices, not DHCP/DNS.
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
It's been proven to happen, yes. This is exactly what hit that university.
You're making my point. Clearly there is no threat, at all, to a medical office.
Unless they use insecure IOT thingies.
-
The only valid reasoning here is for the licensing of the DHCP and DNS. nothing else is ever a concern for this in the scenario stated.
Obviously a different setup will have a different level of concern and risk.
-
@dafyre said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@travisdh1 said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Unifi switch - tagged traffic issues:
@Mike-Davis said in Unifi switch - tagged traffic issues:
I think were @Dashrender is going is that if you use the Unifi guest service and it's using your production DHCP and DNS servers, and then those devices get hacked, they can take down your production DNS/DHCP servers. If they are on their own VLAN and using their own DHCP/DNS servers, yuo are mitigating some of that threat.
This exactly - and just to clarify a tiny bit - the bits getting hacked are the IOT/guest network devices, not DHCP/DNS.
You think that your guests in the office are attacking your DNS and DHCP services? And you feel that your DNS and DHCP are that fragile to be a concern to that degree?
It's been proven to happen, yes. This is exactly what hit that university.
You're making my point. Clearly there is no threat, at all, to a medical office.
Unless they use insecure IOT thingies.
Which, if on the guest network is a serious concern, and which if not, is a different concern. IoT need to be secured regardless of this and is a separate issue.
-
@JaredBusch said in Concern Around Hackers Using DHCP Pool:
The only valid reasoning here is for the licensing of the DHCP and DNS. nothing else is ever a concern for this in the scenario stated.
Obviously a different setup will have a different level of concern and risk.
Exactly. If we were discussing non-Windows services here, there'd be no risk at all to worry about. It makes sense to not use them as Windows licensing is a problem here, but only because it is Windows, not because of people using your DNS.
-
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
If the only cost is my time, I'll choose mitigation every time. Although I agree with your assessment that if you're using a known insecure IOT device on your network, get it off!
So you'd like to waste your time mitigating a threat that is a million to one would ever happen and has effectively no penalty even if it does happen?
This is the "shoot yourself in the face today to avoid a headache tomorrow" problem. More effort to prevent something than if the thing actually happened - and a thing that has no real world chance of happening.
Actually, that's completely false. This has happened to me. We lease space in another doctors office. They ran out of IPs. Their own IT person didn't figure this out... I had to go out there and show them that my devices weren't getting an IP. He looked - oh yeah.. OK I'll fix it.
And whatever his fix was, it didn't fix it, because it happened again the following week.
-
@Dashrender said in Concern Around Hackers Using DHCP Pool:
@scottalanmiller said in Concern Around Hackers Using DHCP Pool:
@dafyre said in Concern Around Hackers Using DHCP Pool:
If the only cost is my time, I'll choose mitigation every time. Although I agree with your assessment that if you're using a known insecure IOT device on your network, get it off!
So you'd like to waste your time mitigating a threat that is a million to one would ever happen and has effectively no penalty even if it does happen?
This is the "shoot yourself in the face today to avoid a headache tomorrow" problem. More effort to prevent something than if the thing actually happened - and a thing that has no real world chance of happening.
Actually, that's completely false. This has happened to me. We lease space in another doctors office. They ran out of IPs. Their own IT person didn't figure this out... I had to go out there and show them that my devices weren't getting an IP. He looked - oh yeah.. OK I'll fix it.
And whatever his fix was, it didn't fix it, because it happened again the following week.
And it was an attack? Or just shared DHCP space with someone who didn't know what he was doing? I never said you'd never run out of addresses. I said that the attack you are preparing to defend against will never happen. Your example is very different.
-
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
-
@Dashrender said in Concern Around Hackers Using DHCP Pool:
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
Takes seconds? You are having nothing but issues because of wanting a VLAN.
-
@JaredBusch said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Concern Around Hackers Using DHCP Pool:
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
Takes seconds? You are having nothing but issues because of wanting a VLAN.
Thanks - it's true I have a current issue, that's related to VLANs - but this guest network is not one of them. That was installed and working in only seconds longer than it would have taken if I didn't have a VLAN. my current issues are around a legacy network.
-
@Dashrender said in Concern Around Hackers Using DHCP Pool:
@JaredBusch said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Concern Around Hackers Using DHCP Pool:
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
Takes seconds? You are having nothing but issues because of wanting a VLAN.
Thanks - it's true I have a current issue, that's related to VLANs - but this guest network is not one of them. That was installed and working in only seconds longer than it would have taken if I didn't have a VLAN. my current issues are around a legacy network.
https://mangolassi.it/topic/12645/unifi-switch-tagged-traffic-issues
Wasn't this thread started because you couldn't get it to work?
-
@Dashrender said in Concern Around Hackers Using DHCP Pool:
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
If it only took seconds, took nothing to maintain, added no complexity to the network and was just as easy to hand over to someone else, then I'd agree.
-
@stacksofplates said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Concern Around Hackers Using DHCP Pool:
@JaredBusch said in Concern Around Hackers Using DHCP Pool:
@Dashrender said in Concern Around Hackers Using DHCP Pool:
I will grant you that the attack is extremely unlikely either against DNS or DHCP, but considering it takes seconds to setup, I don't see the harm in it either. Coupled with the already stated fact of the Windows licensing makes it a requirement in my case since I don't want to setup completely separate APs for guest access.
Takes seconds? You are having nothing but issues because of wanting a VLAN.
Thanks - it's true I have a current issue, that's related to VLANs - but this guest network is not one of them. That was installed and working in only seconds longer than it would have taken if I didn't have a VLAN. my current issues are around a legacy network.
https://mangolassi.it/topic/12645/unifi-switch-tagged-traffic-issues
Wasn't this thread started because you couldn't get it to work?
No, that thread - where I am still having problems - is because I can't get my phones to work on their designated VLAN - has nothing to do with Guest access.