After a look at the logs on the dhcp3 server, I found that an errant bank of devices was going haywire. Sure, pulling the power cord would've been a quicker fix, but I like puzzles.
Here's what I saw: first, a whole bunch of requests were coming in from a bunch of MACs pre-pended with e8:39:35 . All these requests were taking dhcp addresses. So, I plug in the address here:
http://www.wireshark.org/tools/oui-lookup.html
To figure out what hardware is behind that MAC.
I find out that it is not a virtual machine gone bad. HP device. Great. So then I pull out the bigger brain and decide that I want to craft a dhcp pool that'll ban HP devices and allow everything else. To do this I create rules explicitly allowing and denying classes of devices. Easy?
Below you'll find a list of common MAC identifiers for Virtual machines, a dhcp3.conf and some pertinent logs.
MAC identifiers
Company and Products MAC unique identifier VMware ESX 3/4 Server, Workstation, Player 00:50:56 00:0C:29 00:05:69 MS Hyper-V, Virtual Server, Virtual PC 00:03:ff Parallells Desktop, Workstation, Server, Virtuozzo 00:1c:42 Virtual Iron 4 00:0f:4b RedHat Xen 00:16:3e Oracle VM 00:16:3e XenSource 00:16:3e Novell Xen 00:16:3e Sun xVM VirtualBox 08:00:27
dhcp3.conf
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
option routers 10.10.10.1;
option domain-name-servers 10.10.10.2, 10.10.10.3;
option domain-name "my.company.com";
option netbios-name-servers 10.10.10.2;
class "evil" {
match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}
class "vmware-clients" {
match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:50:56")
or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:c:29")
or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:5:69");
log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}
class "not-evil" {
match if not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}
subnet 10.10.10.0 netmask 255.255.255.0 {
pool {
range 10.10.10.100 10.10.10.10.200;
range 10.10.10.204 10.10.10.220;
allow members of "vmware-clients";
allow members of "not-evil";
deny members of "evil";
}
}
Log snippet
Apr 26 16:03:50 dhcpd: Wrote 8 leases to leases file. Apr 26 16:05:00 dhcpd: DHCPREQUEST for 10.10.10.175 from e8:39:35:1f:8a:6e via eth0: lease 10.10.10.75 unavailable. Apr 26 16:05:00 dhcpd: DHCPNAK on 10.10.10.175 to e8:39:35:1f:8a:6e via eth0 Apr 26 16:05:01 dhcpd: 1:0:50:56 Apr 26 16:05:01 dhcpd: 1:0:50:56 Apr 26 16:05:01 dhcpd: DHCPDISCOVER from 00:50:56:80:1a:75 via eth0 Apr 26 16:05:02 dhcpd: DHCPOFFER on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0 Apr 26 16:05:06 dhcpd: 1:0:50:56 Apr 26 16:05:06 dhcpd: 1:0:50:56 Apr 26 16:05:06 dhcpd: DHCPREQUEST for 10.10.10.159 (10.10.10.2) from 00:50:56:80:1a:75 (vmware-client01) via eth0 Apr 26 16:05:06 dhcpd: DHCPACK on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0 Apr 26 16:05:42 dhcpd: DHCPREQUEST for 10.10.10.162 from e8:39:35:1f:0e:97 via eth0: lease 10.10.10.162 unavailable. Apr 26 16:05:42 dhcpd: DHCPNAK on 10.10.10.162 to e8:39:35:1f:0e:97 via eth0 Apr 26 16:07:03 dhcpd: 1:34:40:b5 Apr 26 16:07:03 dhcpd: DHCPREQUEST for 10.10.10.172 from 34:40:b5:20:a8:01 via eth0 Apr 26 16:07:03 dhcpd: DHCPACK on 10.10.10.172 to 34:40:b5:20:a8:01 via eth0
No comments:
Post a Comment