[Kea-users] Duplicate Addresses, address pool exhaustion with DHCPDECLINE flood
Tomek Mrugalski
tomasz at isc.org
Thu Apr 18 17:31:58 UTC 2019
On 18/04/2019 15:16, Alberto Pollastro wrote:
> I agree with Kari; it could be useful to have an option which permits to
> ignore the DHCP DECLINE messages like the one present in ISC dhcpd
> ("declines" keyword in config file:
> https://www.isc.org/wp-content/uploads/2018/02/dhcp44.html).
> Another option it could be to implement on server side a DHCP DECLINE
> per source MAC rate limiting (or a kind of Fail2ban for DECLINE
> messages) because usually the L2 switch support DHCP rate limiting
> accordint to the switch port.
We were thinking about rate limiting of various things, but never got
round to implement this mechanism.
As a crude workaround, you could try setting up
"decline-probation-period" to something very small, like 10 seconds or
less. But please keep in mind that this would be effectively disabling a
protocol feature that's there for a reason.
Also, if you want to do some experiments, disabling DECLINE handling on
the server side is a trivial code modification. Open up
src/bin/dhcp4/dhcp4_srv.cc and comment out line 1024:
// processDecline(query, ctx);
Note the side effect is that your buggy client will think the lease was
declined, will revert back to discover and the server will assign the
same lease again. This loop will likely repeat over and over again.
Depending on your situation this may be a better or worse workaround
compared to low decline-probation-period.
Tomek
More information about the Kea-users
mailing list