• TipRing
    link
    fedilink
    English
    186 months ago

    I use option 121 as part of my work, though I am not an expert on DHCP. This attack does make sense to me and it would be hard to work around given the legitimate uses for that option.

      • Max-P
        link
        fedilink
        English
        86 months ago

        Adding routes for other thing on the network the clients can reach directly and remove some load from the router. For example, reaching another office location through a tunnel, you can add a route to 10.2.0.0/16 via 10.1.0.4 and the clients will direct the traffic directly at the appropriate gateway.

        Arguably one should design the network such that this is not necessary but it’s useful.

        • Nyfure
          link
          fedilink
          26 months ago

          To be fair, any proper VPN setup that only relies on the routing table like this is flawed to begin with.
          If the VPN program dies or the network interface disappears, the routes are removed aswell, allowing traffic to leave the machine without the VPN.
          So it is already a good practice to block traffic where it shouldnt go (or even better, only allowing it where it should).