[FS#1132] Default config exposes ipv4 UDP port 68 to the entire Internet

LEDE Bugs lede-bugs at lists.infradead.org
Wed Nov 1 09:31:06 PDT 2017


The following task has a new comment added:

FS#1132 - Default config exposes ipv4 UDP port 68 to the entire Internet
User who did this - Peter Backes (rtc)

----------
@Arjen: Source filtering does work for UDP traffic. It is the ISPs responsibility to block any traffic that spoofs addresses that are under the ISP's control. Even for ISPs that doesn't do that, source filtering is a huge step forward, since, in addition to sending packets to UDP4 port 68, the attacker has to use the correct source address.

@Jo-Philipp: I am not saying the DHCP server should be pinned, but its network. If the network is not known, /24 can be assumed. If that's not the case, it must be a very special situation in which, for the benefit of security of many others, it is reasonable to demand from users to customize their configuration.

For figuring out whether the XID is correct, the dhcp client already has to receive and process the incoming packet. Blocking the packet from the Internet before it reaches the client also protects against bugs in that code.

----------

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1132#comment3743



More information about the lede-bugs mailing list