[Kea-users] Duplicate Addresses, address pool exhaustion with DHCPDECLINE flood

Alberto Pollastro alberto.pollastro at mobimesh.it
Thu Apr 18 13:16:29 UTC 2019 

Hi all,

I agree with Kari; it could be useful to have an option which permits to 
ignore the DHCP DECLINE messages like the one present in ISC dhcpd 
("declines" keyword in config file: 
https://www.isc.org/wp-content/uploads/2018/02/dhcp44.html).
Another option it could be to implement on server side a DHCP DECLINE 
per source MAC rate limiting (or a kind of Fail2ban for DECLINE 
messages) because usually the L2 switch support DHCP rate limiting 
accordint to the switch port.

Thanks,
Alberto

Il 18/04/2019 09:08, Mohammed Khallaf ha scritto:
> Hello Kari,
>
> I'm not sure about Kea, Kea hooks, or if someone is going to write a 
> Kea hook for that, but there is no DHCP server that I know about that 
> implements this outside-of-the-box. Actually, most or all effective 
> solutions in network-originating layer 2 attacks are basically built 
> on networking devices software and/or network monitoring software, or 
> the least: manual troubleshooting.
>
> If your switching equipment has a feature to help, then use it. If 
> not, you can set a network monitoring software that analyzes DHCP 
> DISCOVER messages and alert you if the rate from a specific MAC is 
> abnormal, or the general rate on the network is abnormal. SolarWinds 
> and PRTG come to mind.
>
> --
> MK
>
>
> On Wed, Apr 17, 2019 at 2:56 PM Kari Karvonen 
> <kari.karvonen at kasenet.fi <mailto:kari.karvonen at kasenet.fi>> wrote:
>
>     Hello
>
>     If there is faulty DHCP-client on a network that keeps requesting IP's
>     and after receiveing IP-offer client sends DHCPDECLINE and DHCP-server
>     marks IP-address as declined for 24 hours. If client keeps repeating
>     this, address after address will be marked as declined and soon entire
>     DHCP-pool is exhausted.
>
>     I looked Kea 1.5.0 user guide and found that it is possible to shorted
>     decline time
>
>       "decline-probation-period": 3600
>
>     But is there something else on dhcp-server side to prevent this
>     kind of
>     behaviour?
>
>     -- 
>     Kari Karvonen
>     Network specialist
>     +358445557360
>     www.kasenet.fi <http://www.kasenet.fi>
>     _______________________________________________
>     Kea-users mailing list
>     Kea-users at lists.isc.org <mailto:Kea-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/kea-users
>
>
> _______________________________________________
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20190418/7c2e660a/attachment.htm>

More information about the Kea-users mailing list