Denial of service mitigation techniques? What do you do?
Simon Hobson
dhcp1 at thehobsons.co.uk
Fri Apr 8 15:06:21 UTC 2011
Paul Keck wrote:
>On Fri, Apr 08, 2011 at 09:00:21AM +1000, Glenn Satchell wrote:
>> easier, and it applies in all scopes:
>>
>> class "thugs" {
>> match if substring(hardware, 1, 6) = 08:10:74:2f:21:83;
>> deny booting;
>> }
>>
>> or with subclasses in case you have a few to ignore.
>>
>> class "thugs" {
>> match substring(hardware, 1, 6);
>> deny booting;
>> }
>>
>> subclass "thugs" 08:10:74:2f:21:83;
>> subclass ...
>
>Glenn,
>
>do you think this would take the heat off the dhcpd process significantly?
>i.e. how much less expensive is it for the server to deny booting rather than
>make an offer? It still has to deal with the guy asking over and over. I'm
>wondering if this approach would be enough or if I'd need to block the
>requests with iptables to keep them off dhcpd's back.
Well the server doesn't need to write any lease records, and if you
use ignore instead of deny then it doesn't have to write any log
entries either. Those two between them are normally the limiting
factor for a server.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users
mailing list