Lately I wrote an article covering one use of MACkerer2. The described scenario is basically this:
- You have a subnet or otherwise limited number of IP addresses for one scope
- A virtually unlimited number of machines is supposed to share the limited number of IP addresses (of course never simultaneously)
- The MS DHCP server has no solution for this, neither on Windows 2000 nor Windows 2003 Server. However, I heard this will somehow be handled by Longhorn
This is obviously a problem, but MACkerer2 comes in handy and solves it. However, this is obviously not the only use for it. While you could use it only for logging on one hand, you can of course handle a case where you have more than enough IP addresses, but do not want to create reservations for each and every machine. And seriously, the configuration file of MACkerer2 lets you change the MAC, while this is a read-only text field in the management console for the DHCP server if you have created a reservation. So yes, MACkerer2 can be used as a means of limiting access to your DHCP server in any applicable case. The hardware addresses can of course be spoofed, but there are two problems with this approach for a potential attacker:
- He needs to find out a functioning MAC from a set of 2^48 addresses (sniffing could be used),
- … but more importantly this will cause (recognizable) malfunction of other network parts
Does this mean MACkerer2 is prone to a DoS attack in this respect? No! This attack is applicable in any scenario, even without MACkerer2 being installed. Furthermore this is no OS-specific or software issue, so Microsoft’s DHCP server cannot be blamed either.
If you want MACkerer2 to safeguard your DHCP scopes, just install it and restart the DHCP server. It will load the MACkerer2 DLL and MACkerer2 will start waiting for requests and block them if it is configured to. The configuration has been topic of the last article mentioned before, so I will not cover this here. However, there are some things to note:
- MACkerer2 will re-read the configuration if you just pause and resume the DHCP server service! No need to stop and start, which can take a notable amount of time in some environments. Pause and resume is quick.
- Stop and start will of course cause MACkerer2 to re-read the configuration as well.
- MACkerer2 will not save you from MAC (hardware address) spoofing.
- MACkerer2 does not currently distinguish between scopes you defined in the MMC! There will be some kind of grouping with the next major release of MACkerer2, though. So you can group a bunch of MACs together and assign a certain configuration scheme to them.
Well, that’s it for now. Post any questions here or contact me as usual via email, ICQ or whatever else is given on my contact form.