DISCOVERY STORM DoS ?
Adam Moffett
adamlists at plexicomm.net
Mon Jul 12 20:45:00 UTC 2010
Is the relay receiving all of these discover requests or is it
duplicating the same one?
I'm wondering whether the host or the relay is generating all of this
activity.
> I'm having the following problem, a client begins randomly sending a
> storm of requests DISCOVERY, and DHCP responds with a OFFER, but
> nothing more than that. These requests cause denial of service on
> DHCP. Even removing the MAC from DHCP, the DISCOVERY continuing. I
> tried these versions V3.1.1 and 4.1.1-P1, both have the same problem.
> The IP 10.40.0.1 is a Cisco CMTS with dhcp relay activated.
>
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to
> 08:10:74:33:3a:af (Router) via 10.14.0.1
> Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router)
> via 10.14.0.1
>
> Thanks.
>
> Daniel
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20100712/8550e78b/attachment.html>
More information about the dhcp-users
mailing list