Limit DHCP requests with iptables - problem: Router
sscdvp at gmail.com
sscdvp at gmail.com
Wed Aug 29 19:34:21 UTC 2012
The suitable solution against DoS on DHCP is to filter unnecessary packet
in kernel space before it reach DHCP server.
Such kernel module do exist. See
http://sscdvp.blogspot.com/2011/11/test.html for more details.
Best regards, Serghei Samsi
2012/8/29 Dorsey, Chris <dorsey2 at llnl.gov>
> We are seeing a lot of induced IO wait due to processing/logging of
> unwanted DHCP requests from **known** MAC addresses (broken printers,
> mis-behaving clients, etc.) and were very interested in this thread. After
> some hopeful testing with iptables based on some clues in this thread, we
> have abandoned this approach after one of our admins discovered the
> following article confirming that ISC DHCP uses raw sockets which get
> processed before iptables, rendering iptables-based solutions useless for
> these type of problems:****
>
>
> https://deepthought.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html
> ****
>
> ** **
>
> Our limited testing confirms this fact. Other solutions in this space
> would seem to be external filtering in front of the DHCP servers
> (possible), fixing broken clients (valiant but impractical at scale), or
> enhancing dhcpd with the ability to allow for administrator-configured
> filtering. This last one seems the most attractive for several reasons.
> Any other possible solution approaches?****
>
> ** **
>
> Chris****
>
> ** **
>
> ** **
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120829/39932549/attachment.html>
More information about the dhcp-users
mailing list