monitoring-plugins-2.2p8: check_dhcp broadcast requests not working

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

monitoring-plugins-2.2p8: check_dhcp broadcast requests not working

Marcos Madeira | Secure Networks
Hello ports@,

I am unable to get broadcast DHCP requests to be generated on openbsd
6.6 and 6.7 using the packaged versions of monitoring-plugins, which are
monitoring-plugins-2.2p8 and monitoring-plugins-2.2p9, respectively.

I have tested the package on a few different environments and it boils
down to this:

- unicast DHCP is working fine with something like: -i vio1 -v -t 3 -m
"52:54:00:f3:e9:cb" -r 10.10.0.10 -s 10.10.0.2 -u

- if the server runs something like
'/usr/local/libexec/nagios/check_dhcp -i vio1', which should be a
broadcast request:

  - packets will always exit through the first phsical ethernet
interface (e.g. vio0)

  - no reply received

- if the server runs something like
'/usr/local/libexec/nagios/check_dhcp -i vio0'

  - if the interface has no address, a packet will not be sent at all.
No local unicast addess needed with IPv4 broadcast DHCP client

  - if the interface has an address, no DHCP replies are ever received

Unicast-based DHCP monitoring works fine, but this type of monitoring
does not meet the criteria for rogue DHCP server detection.

Can anyone confirm/deny this before I get an opportunity to look at the
code?


Thanks,

--
Marcos Madeira

Reply | Threaded
Open this post in threaded view
|

Re: monitoring-plugins-2.2p8: check_dhcp broadcast requests not working

Stuart Henderson
On 2020-07-22, Marcos Madeira | Secure Networks <[hidden email]> wrote:

> Hello ports@,
>
> I am unable to get broadcast DHCP requests to be generated on openbsd
> 6.6 and 6.7 using the packaged versions of monitoring-plugins, which are
> monitoring-plugins-2.2p8 and monitoring-plugins-2.2p9, respectively.
>
> I have tested the package on a few different environments and it boils
> down to this:
>
> - unicast DHCP is working fine with something like: -i vio1 -v -t 3 -m
> "52:54:00:f3:e9:cb" -r 10.10.0.10 -s 10.10.0.2 -u
>
> - if the server runs something like
> '/usr/local/libexec/nagios/check_dhcp -i vio1', which should be a
> broadcast request:
>
>   - packets will always exit through the first phsical ethernet
> interface (e.g. vio0)
>
>   - no reply received
>
> - if the server runs something like
> '/usr/local/libexec/nagios/check_dhcp -i vio0'
>
>   - if the interface has no address, a packet will not be sent at all.
> No local unicast addess needed with IPv4 broadcast DHCP client
>
>   - if the interface has an address, no DHCP replies are ever received
>
> Unicast-based DHCP monitoring works fine, but this type of monitoring
> does not meet the criteria for rogue DHCP server detection.
>
> Can anyone confirm/deny this before I get an opportunity to look at the
> code?

I don't know about the check_dhcp issue, but I have one comment, make
sure you don't have dhcpd/dhclient running at the same time on the same
interface, they hijack dhcp packets using bpf's "fildrop" mechanism and
don't send them to other applications.