Is there any protection mechanism for a spamming dhcp client?

John Hascall john at iastate.edu
Thu Feb 3 14:15:17 UTC 2011 


It would be nice if there was some sort of throttling mechanism
built into dhcpd, but for now what we are doing is processing
the syslog file every 15 minutes looking for "dhcp pigs" as we
call them.  Our dhcpd.conf is built from a DB, so when we find
a piggie, we put an entry in the DB which ends up as an entry
like this in the config file:

# pig 80:fb:32:8f:d5:7e 
host P80fb328fd57e {
        hardware ethernet 80:fb:32:8f:d5:7e;
        ignore booting;
}


John


> --===============1082144513429964098==
> Content-Type: multipart/alternative; boundary=000e0cd5178ecd22a8049b6121af
> 
> --000e0cd5178ecd22a8049b6121af
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> extension to my other post:
> 
> Assume I have thousands of printers and maybe some ot that printers have
> this behavior. So I dont know exact what printer it will be in future? Its
> like a time bomb. My home ist more the CISCO side and there I could for
> example do DHCP Snooping where I can also set an amount of maximum dhcp
> requests per client per switch-port.
> 
> But instead of configuring the security thousand time on the switch side I
> want to do it on the central side - the server. So I look for an automatism
> that trigger some action in case of too much dhcp requests from a client.
> 
> Hope you understand me now.
> 
> thanx a lot,
> cheers,
> 
> ps: I know that so many packets are also bad for the LAN but this is anothe=
> r
> story :-) (departement)
> 
> 
> 2011/2/3 J=FCrgen Dietl <juergen.dietl at googlemail.com>
> 
> > Hello Alex,
> >
> > no you are not dumb. I did a mistake in understanding and sorry for that.
> > The client gets only ONE IP Address but this 590.000 times. So I have a v=
> ery
> > big log file etc. and the cpu usage is also very high.
> >
> > Concerning the ip-table proposal:
> >
> > Is there a way to ignore a special amount of packets with ip table? I don=
> t
> > want to block all the packets from the client. Can you maybe post an exam=
> ple
> > for IP-Tables?
> >
> >
> > thanx a lot,
> > cheers,
> > Juergen
> >
> >
> > 2011/2/3 Alex Bligh <alex at alex.org.uk>
> >
> >
> >>
> >> --On 3 February 2011 10:41:11 +0100 J=FCrgen Dietl <
> >> juergen.dietl at googlemail.com> wrote:
> >>
> >>  Till somebody powered off the printer the dhcp server got 590.000 dhcp
> >>> requests. Of course the pool was empty.
> >>>
> >>
> >> Perhaps I am being a bit dumb here, but if the same device re-requests
> >> an IP address, isn't it going to get the same entry from the pool
> >> (assuming
> >> mac address and client-id are the same). If not, can you not segregate
> >> it by assigning it a fixed IP? I am taking it configuring the printer
> >> with a fixed IP is not an option.
> >>
> >> If your dhcp server never needs to talk to the printer at all, you
> >> can just ignore dhcp packets using ip tables filtering based
> >> on MAC address. That would work well if you configured it with a static
> >> IP.
> >>
> >> --
> >> Alex Bligh
> >>
> >> _______________________________________________
> >> dhcp-users mailing list
> >> dhcp-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/dhcp-users
> >>
> >
> >
> 
> --000e0cd5178ecd22a8049b6121af
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> extension to my other post:<br><br>Assume I have thousands of printers and =
> maybe some ot that printers have this behavior. So I dont know exact what p=
> rinter it will be in future? Its like a time bomb. My home ist more the CIS=
> CO side and there I could for example do DHCP Snooping where I can also set=
>  an amount of maximum dhcp requests per client per switch-port.<br>
> <br>But instead of configuring the security thousand time on the switch sid=
> e I want to do it on the central side - the server. So I look for an automa=
> tism that trigger some action in case of too much dhcp requests from a clie=
> nt. <br>
> <br>Hope you understand me now.<br><br>thanx a lot,<br>cheers,<br><br>ps: I=
>  know that so many packets are also bad for the LAN but this is another sto=
> ry :-) (departement)<br><br><br><div class=3D"gmail_quote">2011/2/3 J=FCrge=
> n Dietl <span dir=3D"ltr"><<a href=3D"mailto:juergen.dietl at googlemail.co=
> m">juergen.dietl at googlemail.com</a>></span><br>
> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hello Alex,<br><b=
> r>no you are not dumb. I did a mistake in understanding and sorry for that.=
>  The client gets only ONE IP Address but this 590.000 times. So I have a ve=
> ry big log file etc. and the cpu usage is also very high.<br>
> 
> <br>Concerning the ip-table proposal:<br><br>Is there a way to ignore a spe=
> cial amount of packets with ip table? I dont want to block all the packets =
> from the client. Can you maybe post an example for IP-Tables?<div class=3D"=
> im">
> <br><br>thanx a lot,<br>
> cheers,<br>Juergen<br><br><br></div><div class=3D"gmail_quote">2011/2/3 Ale=
> x Bligh <span dir=3D"ltr"><<a href=3D"mailto:alex at alex.org.uk" target=3D=
> "_blank">alex at alex.org.uk</a>></span><div><div></div><div class=3D"h5"><=
> br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; bo=
> rder-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
> 
> <div><br>
> <br>
> --On 3 February 2011 10:41:11 +0100 J=FCrgen Dietl <<a href=3D"mailto:ju=
> ergen.dietl at googlemail.com" target=3D"_blank">juergen.dietl at googlemail.com<=
> /a>> wrote:<br>
> <br>
> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
> Till somebody powered off the printer the dhcp server got 590.000 dhcp<br>
> requests. Of course the pool was empty.<br>
> </blockquote>
> <br></div>
> Perhaps I am being a bit dumb here, but if the same device re-requests<br>
> an IP address, isn't it going to get the same entry from the pool (assu=
> ming<br>
> mac address and client-id are the same). If not, can you not segregate<br>
> it by assigning it a fixed IP? I am taking it configuring the printer<br>
> with a fixed IP is not an option.<br>
> <br>
> If your dhcp server never needs to talk to the printer at all, you<br>
> can just ignore dhcp packets using ip tables filtering based<br>
> on MAC address. That would work well if you configured it with a static IP.=
> <br>
> <br>
> -- <br><font color=3D"#888888">
> Alex Bligh</font><div><div></div><div><br>
> _______________________________________________<br>
> dhcp-users mailing list<br>
> <a href=3D"mailto:dhcp-users at lists.isc.org" target=3D"_blank">dhcp-users at li=
> sts.isc.org</a><br>
> <a href=3D"https://lists.isc.org/mailman/listinfo/dhcp-users" target=3D"_bl=
> ank">https://lists.isc.org/mailman/listinfo/dhcp-users</a></div></div></blo=
> ckquote></div></div></div><br>
> </blockquote></div><br>
> 
> --000e0cd5178ecd22a8049b6121af--
> 
> --===============1082144513429964098==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
> --===============1082144513429964098==--
>

More information about the dhcp-users mailing list