Is there any protection mechanism for a spamming dhcp client?

Glenn Satchell glenn.satchell at uniq.com.au
Thu Feb 3 10:39:25 UTC 2011 

On 02/03/11 20:56, Nicolas Ecarnot wrote:
> Le 03/02/2011 10:41, Jürgen Dietl a écrit :
>> Hello,
>>
>> I am new to this mailing list. So I see a big "Hello World" and I hope
>> to meet interesting people here.
>>
>> I have the following question:
>>
>> I am running ISC DHCP and BIND latest Version and I have a printer that
>> even if it owns an IP-Address it makes thousands of DHCP-Requests per
>> seconds. Till somebody powered off the printer the dhcp server got
>> 590.000 dhcp requests. Of course the pool was empty. I know I can
>> prevent such things with enabling dhcp snooping on network equipment but
>> is there any mechanism that I can do some protection on the server. For
>> example if the server would notice that it is always the same client
>> that asked for an address it should say NO and ignore the client, or put
>> him in a database to refuse any action etc. Is there a way to implement
>> this? Is there any mechanisme?
>
> No answer from me, but I second the question, as I'm experiencing the
> same issue (except the OMG-rate you're undergoing) : on a very small
> bunch of hosts, either the work well in DHCP mode but still request too
> frequently an IP, either some STATIC-IP setup hosts are even asking DHCP
> lease... It's a mad world...
>
There's no rate limiting built into the dhcp server, but I think thatis 
possible with iptables.

In dhcpd.conf you can block a client by using "deny booting;" or "ignore 
booting;", for example:

class "badguys" {
	match hardware;
	ignore booting;
}

subclass "badguys" 1:00:01:02:03:04:05;

or

host "bad1" {
	hardware ethernet 00:01:02:03:04:05;
	ignore booting;
}

The difference between deny and ignore is that deny logs a message, 
ignore is silent. In your case I think you want ignore :)

-- 
regards,
-glenn
--
Glenn Satchell                            |  Miss 9: What do you
Uniq Advances Pty Ltd, Sydney Australia   |  do at work Dad?
mailto:glenn.satchell at uniq.com.au         |  Miss 6: He just
http://www.uniq.com.au tel:0409-458-580   |  types random stuff.

More information about the dhcp-users mailing list