Limit DHCP requests with iptables - problem: Router
Friesen, Don SSBC:EX
Don.Friesen at gov.bc.ca
Mon Feb 7 17:58:00 UTC 2011
>>
>> That won't work because all his dhcp queries come with the same
>> MAC address - the router which is forwarding them.
>>
>>
>
>Then you might try adding a limit test and -j ACCEPT .
>
>--limit rate[/second|/minute|/hour|/day]
>Maximum average matching rate: specified as a number, with
>an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default
>is 3/hour.
>
>Dave
Periodically we had printers spam our servers with requests faster that the servers we were using at the time could respond to. The solution was to block all traffic from the router for a few seconds. Two or three seconds was all it took for the printers to reset. Then the traffic was turned up again. We did this manually on the router by removing the helper addresses. So the rate limiting would be better, as automation good... yes :)
This was prior to our adopting ISC DHCP. I haven't seen it since. Our only issue now is that Corp Headquarters is enforcing a managed power-off overnight with an automated power-up at 7am. When 30,000 machines turn on within a few seconds, the DHCP traffic is a bit excessive, and even our new ISC based servers can't keep up. Any such rate limiting would play havoc with our DHCP service at that time of the day, as it already takes 30 minutes to fully service all the machines. And yes, we have suggested that they stagger the start-up, but it falls on deaf ears.
Don Friesen
More information about the dhcp-users
mailing list