DISCOVERY STORM DoS ?

Tue Jul 20 12:49:17 UTC 2010

The following command on the Cisco CMTS controls the number of DHCP LEASEQUERY request messages that are sent for unknown IP addresses per each service ID (SID) on an upstream:

cable source-verify leasequery-filter upstream

http://www.ciscosystems.cg/en/US/docs/ios/cable/command/reference/cbl_08_cable_s.html#wp1050476 <blocked::http://www.ciscosystems.cg/en/US/docs/ios/cable/command/reference/cbl_08_cable_s.html#wp1050476> 

Keith 

________________________________

From: dhcp-users-bounces+keith.perry=sciatl.com at lists.isc.org [mailto:dhcp-users-bounces+keith.perry=sciatl.com at lists.isc.org] On Behalf Of Patricio Latini
Sent: Thursday, July 15, 2010 4:23 PM
To: frnkblk at iname.com; daniel at dgnetwork.com.br; 'Users of ISC DHCP'
Subject: RE: DISCOVERY STORM DoS ?

On the Arris C4 it is

configure cable proto-throttle dhcp 

configure cable proto-throttle interval <INT> 

configure cable proto-throttle max-burst <INT>

Patricio

From: Frank Bulk - iName.com [mailto:frnkblk at iname.com] 
Sent: Thursday, July 15, 2010 1:02 AM
To: daniel at dgnetwork.com.br; 'Users of ISC DHCP'; Patricio Latini
Cc: dhcp-users at isc.org
Subject: RE: DISCOVERY STORM DoS ?

We have a Moto BSR64000, and I've never seen any DHCP rate-limiting, either.   Just a "max-hosts".

Frank

From: dhcp-users-bounces+frnkblk=iname.com at lists.isc.org [mailto:dhcp-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf Of "Daniel D. Gonçalves"
Sent: Wednesday, July 14, 2010 12:29 PM
To: Patricio Latini
Cc: dhcp-users at isc.org
Subject: Re: DISCOVERY STORM DoS ?

My CMTS is a Cisco UBR 10K, but I didn't found  information about rate limit.

Patricio Latini escreveu: 

Daniel, you should activate dhcp throttling in your CMTS. Advanced CMTSs support rate limiting features that limit the quantity of DHCP DISCOVERS/REQUESTSs in order to avoid this kind of DoS attacks

Patricio

From: dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org [mailto:dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org] On Behalf Of "Daniel D. Gonçalves"
Sent: Monday, July 12, 2010 5:39 PM
To: dhcp-users at isc.org
Subject: DISCOVERY STORM DoS ?

I'm having the following problem, a client begins randomly sending a storm of requests DISCOVERY, and DHCP responds with a OFFER, but nothing more than that. These requests cause denial of service on DHCP. Even removing the MAC from DHCP, the DISCOVERY continuing. I tried these versions V3.1.1 and 4.1.1-P1, both have the same problem. 
The IP 10.40.0.1 is a Cisco CMTS with dhcp relay activated.

Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af (Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via 10.14.0.1

Thanks.

Daniel

__________ Information from ESET Smart Security, version of virus signature database 5267 (20100710) __________