Method 15: DHCP Address Limiting or Disabling

0 Shields

By limiting the number of addresses available for devices to connect with, the WiFi router can limit the number of devices connecting at any given time. By disabling DHCP altogether and manually configuring each device, it should be nearly impossible for hackers to connect their own devices since they don’t even know what network addresses to use.

Limiting the number of addresses in the DHCP pool or even turning DHCP off offers no real protection. Hackers can easily assign their own addresses and connect to the WiFi router anyway.

Limiting the number of DHCP addresses in the pool only makes it difficult to add more legitimate devices down the road. It does not stop the hackers, as they can still assign addresses outside of the pool range to their own devices.

Turning DHCP off altogether just makes connecting legitimate devices to the WiFi router that much more difficult, with little or no gain in security. Using WiFi survey and packet sniffing tools, hackers may be able to figure out the subnet that the WiFi router is using and still assign their own address to their devices.

The thought is that limiting the number of IP addresses can limit the number of devices, and hence only allow valid devices to connect.

DHCP Settings


Unfortunately, DHCP doesn’t work this way. It assigns addresses out of a pool, yes. But a device can manually configure and select its own address outside of the pool range and connect anyway. So limiting the number of assignable addresses is really only inconveniencing yourself, especially as the number of WiFi connected devices will continue to grow as more IoT devices get brought into the home or office.

IP Manual Assignment

Another thought is to turn DHCP off altogether, and have all devices assign their own address. This is another variation on security by obscurity. It is really inconvenient, time-consuming, and arduous, never mind out of the technical comfort zone for most people. And it won’t stop the hackers. It turns out they can easily sniff packets and figure out what the IP addresses are, and start assigning their own. (These guys are relentless!)

As for the WINS and NetBIOS settings, unless you are using the WiFi router in an office setting that has a WINS server, it’s probably best to leave all of these options off. NetBIOS over TCP/IP is a potential security nightmare.

In the end, it’s probably easiest to leave the DHCP running, with the default of however many addresses in the address pool (the address range). If the bad guys want to know about your IP assignments, or mint their own addresses, they can, and no DHCP setting is going to stop them.