Hardening DHCP

verfluchten · May 11, 2025, 11:48:58 PM

Is my understanding of https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol correct that the 'from' IPv4 address of the initial discovery and the first DHCP request from a DHCP client are always 0.0.0.0 and always from port 68/udp?

Next, I want to allow DHCP only from select MAC addresses, and they will include visitor devices. How can I discover MAC addresses to be manually allowed if they are not printed on the device or supplied by the visitor? Only by looking at the log for DHCPREQUEST ... from ... when the device is plugged in?

bartjsmit · May 12, 2025, 09:04:03 AM

Yes, DHCP uses broadcast. Restricting clients by MAC has limited value since you cannot control the address that the client uses. For instance, an attacker can sniff packets on the network and assume the MAC and IP of a client that is allowed to connect.

Do your hardening on layer 2 by implementing VLAN separation on managed switches and multi-SSID WiFi access points.

verfluchten · May 12, 2025, 02:23:14 PM

Not really looking for design suggestions ATM, only for the answers to the original questions.

bartjsmit · May 12, 2025, 06:29:48 PM

Capture the DHCP traffic on the firewall while bringing the device on the network.

Hardening DHCP

verfluchten

May 11, 2025, 11:48:58 PM

bartjsmit

May 12, 2025, 09:04:03 AM #1

verfluchten

May 12, 2025, 02:23:14 PM #2

bartjsmit

May 12, 2025, 06:29:48 PM #3