Limit DHCP requests with iptables - problem: Router

José Queiroz zekkerj at gmail.com
Tue Feb 8 13:55:48 UTC 2011 

2011/2/8 Jürgen Dietl <juergen.dietl at googlemail.com>

> Hello again,
>
> many thanx for all your answers. English is not my native language but I
> will try best  as I can to point out one particular part of my problem.
>
> I have about 30 K Clients. In case of a client error where the Client start
> spamming the server with DHCP requests I dont know which Client it is. It
> can be any client in the network. So I dont know the client´s MAC address.
> The 2nd problem is that the clients are mostly not in the same network. So I
> use an IP-helper on the router and the client has the MAC address of the
> router in its MAC-field.
>
> The only place where you can see the clients real mac-address is in the
> dhcp header.
>
> So I look for a solution that dynamically looks in every packet -
> especially in the dhcp header - that arrives at the server and prohibit that
> there come too many dhcp requests from the same machine. In this case the
> server should ignore any packet from this client - which can be any client
> of the 30 K I mentioned before. The easiest way would be that intelligent is
> in the isc dhcp server because the server knows the real client address. But
> this server has no possibility of traffic control - except reducing the
> general rate which would limit my dhcp server in total.
>
> So I cannot work with a fix client address.


> I dont know if its true but I was told that iptables is so intelligent that
> you can limit a traffic that comes from the same mac all the time. So you
> can limit flooding from the same host.
>
> Hope this makes my problem a bit clearer.
>
> thanx a lot,
> cheers,
> Juergen
>
>
Hi Juergen,

You may take two approaches: the first, simpler, is simply limit the service
rate of your DHCP server, blocking any request that comes over this limit.
This is simple (and slightly dumb), as if you block a valid request, the
affected client will timeout and retransmit. This is done by the "limit"
iptable's module, this way:

iptables -A INPUT -p udp --dport 67 -m limit --limit 10/s -j ACCEPT
iptables -A INPUT -p udp --dport 67 -j DROP

This will limit the service rate to 10 requests per second. You can use any
rate you want.

The second one is filter by the fields of the request. You may use the "u32"
iptables module to do it, as sugested by Alan Bligh in the very first
response to your thread. This may also be combined with the "limit" and/or
the "recent" iptables modules, giving you a way to control how long a
specific client have to wait before it can re-send the dhcp request.

iptables -A INPUT -p udp --dport 67 --u32 "28 = 0xaa && 29 = 0xbb && 30 =
0xcc && 31 = 0xdd && 32 = 0xee && 33 = 0xff" -j BLOCK_DHCP_CLIENT

iptables -A BLOCK_DHCP_CLIENT -m recent --update --seconds 60 -j DROP
iptables -A BLOCK_DHCP_CLIENT -m recent --set -j ACCEPT

This will match the CHADDR field having the MAC "aa-bb-cc-dd-ee" (and not
the source mac address of the frame) and divert processing to a new chain
(you need to create it with "iptables -N" first). In this chain, we'll
accept the first request, and drop any subsequent requests within 60 seconds
from the last one.

As "normal" clients will not trigger this new chain, they'll not get
blocked.

PS: This is untested.

PS²: Are you sure that a firmware update on the printer will not fix this
odd behaviour?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110208/68ce067a/attachment.html>

More information about the dhcp-users mailing list