Is there any protection mechanism for a spamming dhcp client?

[Simon Hobson]

John Hascall wrote:
>It would be nice if there was some sort of throttling mechanism
>built into dhcpd, but for now what we are doing is processing
>the syslog file every 15 minutes looking for "dhcp pigs" as we
>call them.  Our dhcpd.conf is built from a DB, so when we find
>a piggie, we put an entry in the DB which ends up as an entry
>like this in the config file:
>
># pig 80:fb:32:8f:d5:7e
>host P80fb328fd57e {
>         hardware ethernet 80:fb:32:8f:d5:7e;
>         ignore booting;
>}

I wonder if there is any mileage in writing a fail2ban module to handle this ?

Fail2ban tails a log file, matching against expressions for certain 
things (such as failed logins). If there are more than a set number 
in a set period then it executes an action which can include adding 
an iptables rule to drop packets from the source for a set period.

Dropping packets at the netfilter layer would reduce processing 
overhead in ignoring the packets. As a secondary effect, I could see 
it being useful for very large installations that might suffer from a 
huge number of requests after (for example) a widespread power 
outage. If the server were swamped, then it might be possible to get 
fail2ban (or a similar mechanism) to block clients that make too many 
requests - with the effect that the overall request rate would drop 
for a while and the most aggressive clients would get held off, 
hopefully until the storm subsides.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.