DHCP Bootp: Security Risks & Fixes

TL;DR

Bootp (Bootstrap Protocol) is an older protocol often enabled by default alongside DHCP (Dynamic Host Configuration Protocol). It’s less secure than DHCP and can allow rogue devices to get IP addresses, potentially compromising your network. Disable Bootp if you don’t need it – most modern networks don’t.

Understanding the Risk

DHCP is the standard way for devices to automatically get an IP address, subnet mask, gateway, and DNS server information on a network. Bootp predates DHCP and has weaker security features. Here’s why it’s a risk:

• No Authentication: Bootp doesn’t require clients to authenticate before receiving an IP address.
• Easier Spoofing: It’s simpler for attackers to spoof Bootp requests and gain access to the network.
• Unauthorised Access: Rogue devices can join your network without proper authorisation.

How to Check if Bootp is Enabled

1. Router/Firewall Interface: The most common way is through your router or firewall’s web interface. Look for DHCP settings, and check if there’s an option related to Bootp.
2. Command Line (Linux): If you have command-line access to a DHCP server running on Linux (e.g., using dnsmasq), you can check the configuration file. For example:

   sudo cat /etc/dnsmasq.conf | grep bootp

   If you see lines enabling Bootp, it’s active.

3. Command Line (Windows Server): Open PowerShell as an administrator and use the following command to check DHCP server properties:

   Get-DhcpServerV4OptionValue -ScopeId  -Name 'BootPEnable'

   Replace <scope_id> with your DHCP scope ID. If the value is True, Bootp is enabled.

Disabling Bootp – Step-by-Step

1. Router/Firewall Interface (Most Common):
   • Log in to your router’s web interface (usually via a browser, e.g., 192.168.1.1 or 192.168.0.1).
   • Navigate to the DHCP settings section. This is often under ‘LAN Settings’, ‘Network Settings’ or similar.
   • Look for a checkbox or toggle labelled ‘Bootp Support’, ‘Enable Bootp Relay’, or something similar.
   • Uncheck this box/toggle it off to disable Bootp.
   • Save the changes and reboot your router if prompted.
2. Linux (dnsmasq):
   • Edit the dnsmasq.conf file:

     sudo nano /etc/dnsmasq.conf

   • Comment out or remove any lines that mention Bootp, such as enable-bootp. For example, change enable-bootp to #enable-bootp.
   • Save the file and restart dnsmasq:

     sudo systemctl restart dnsmasq

3. Windows Server:
   • Open PowerShell as an administrator.
   • Run the following command to disable Bootp for a specific scope:

     Set-DhcpServerV4OptionValue -ScopeId  -Name 'BootPEnable' -Value False

     Replace <scope_id> with your DHCP scope ID.

After Disabling Bootp

• Test Connectivity: Ensure that existing devices still get IP addresses correctly after disabling Bootp.
• Monitor Logs: Check your router/firewall logs for any errors or unexpected behaviour related to DHCP.