Friday, April 27, 2012

dhcp3 combatting evil

After lunch yesterday I received a request for support from a fellow running several VMs and them not getting IP addresses from the DHCP server. That's weird. I've done nothing to my network and the ESX server looks just fine. There goes an afternoon...

After a look at the logs on the dhcp3 server, I found that an errant bank of devices was going haywire. Sure, pulling the power cord would've been a quicker fix, but I like puzzles.

Here's what I saw: first, a whole bunch of requests were coming in from a bunch of MACs pre-pended with e8:39:35 . All these requests were taking dhcp addresses. So, I plug in the address here:
http://www.wireshark.org/tools/oui-lookup.html

To figure out what hardware is behind that MAC.

I find out that it is not a virtual machine gone bad. HP device. Great. So then I pull out the bigger brain and decide that I want to craft a dhcp pool that'll ban HP devices and allow everything else. To do this I create rules explicitly allowing and denying classes of devices. Easy?

Below you'll find a list of common MAC identifiers for Virtual machines, a dhcp3.conf and some pertinent logs.

MAC identifiers
Company and Products                        MAC unique identifier
VMware ESX 3/4 Server, Workstation, Player  00:50:56 00:0C:29 00:05:69
MS Hyper-V, Virtual Server, Virtual PC      00:03:ff
Parallells Desktop, Workstation, Server, Virtuozzo 00:1c:42
Virtual Iron 4                              00:0f:4b
RedHat Xen                                  00:16:3e
Oracle VM                                   00:16:3e
XenSource                                   00:16:3e
Novell Xen                                  00:16:3e
Sun xVM VirtualBox                          08:00:27

dhcp3.conf
ddns-update-style none;

default-lease-time 600;
max-lease-time 7200;

authoritative;
log-facility local7;

option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
option routers 10.10.10.1;
option domain-name-servers 10.10.10.2, 10.10.10.3;
option domain-name "my.company.com";
option netbios-name-servers 10.10.10.2;

class "evil" {
        match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}

class "vmware-clients" {
        match if (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:50:56")
        or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:c:29")
        or (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:0:5:69");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
} 

class "not-evil" {
        match if not (binary-to-ascii (16,8,":",substring(hardware, 0, 4)) = "1:e8:39:35");
        log (info, (binary-to-ascii (16,8,":",substring(hardware, 0, 4))));
}

subnet 10.10.10.0 netmask 255.255.255.0 {
        pool {
                range 10.10.10.100 10.10.10.10.200;
                range 10.10.10.204 10.10.10.220;
                allow members of "vmware-clients";
                allow members of "not-evil";
                deny members of "evil";
                }
}

Log snippet
Apr 26 16:03:50 dhcpd: Wrote 8 leases to leases file.
Apr 26 16:05:00 dhcpd: DHCPREQUEST for 10.10.10.175 from e8:39:35:1f:8a:6e via eth0: lease 10.10.10.75 unavailable.
Apr 26 16:05:00 dhcpd: DHCPNAK on 10.10.10.175 to e8:39:35:1f:8a:6e via eth0
Apr 26 16:05:01 dhcpd: 1:0:50:56
Apr 26 16:05:01 dhcpd: 1:0:50:56
Apr 26 16:05:01 dhcpd: DHCPDISCOVER from 00:50:56:80:1a:75 via eth0
Apr 26 16:05:02 dhcpd: DHCPOFFER on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:06 dhcpd: 1:0:50:56
Apr 26 16:05:06 dhcpd: 1:0:50:56
Apr 26 16:05:06 dhcpd: DHCPREQUEST for 10.10.10.159 (10.10.10.2) from 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:06 dhcpd: DHCPACK on 10.10.10.159 to 00:50:56:80:1a:75 (vmware-client01) via eth0
Apr 26 16:05:42 dhcpd: DHCPREQUEST for 10.10.10.162 from e8:39:35:1f:0e:97 via eth0: lease 10.10.10.162 unavailable.
Apr 26 16:05:42 dhcpd: DHCPNAK on 10.10.10.162 to e8:39:35:1f:0e:97 via eth0
Apr 26 16:07:03 dhcpd: 1:34:40:b5
Apr 26 16:07:03 dhcpd: DHCPREQUEST for 10.10.10.172 from 34:40:b5:20:a8:01 via eth0
Apr 26 16:07:03 dhcpd: DHCPACK on 10.10.10.172 to 34:40:b5:20:a8:01 via eth0
Post a Comment