incomming DHCPDISCOVER requests buffer

John Wobus jw354 at cornell.edu
Mon Apr 21 13:40:04 UTC 2008 

Perhaps you already know this, but OSs often can display
counts of dropped UDP packets that allow you to see if such drops are
happening on your system.

Also some OSs allow you to set a system-wide setting regarding the
default size of a process's UDP input buffer.  Such a buffer 
more-or-less
serves the purpose you are looking for.  The default size of such
a buffer can depend upon the OS version: in Solaris, for example,
Solaris 10 has larger defaults than Solaris 9.

Solaris examples: (perhaps seeing these will give you hints
what to look for in other OSs.  'ndd' is definitely Solaris-specific)

Displaying system-wide count of dropped udp packets:
   netstat -s | egrep -i udpInOverflows

Displaying default buffer size:
   /usr/sbin/ndd -get /dev/udp udp_recv_hiwat

Setting default buffer size (to 65536):
   /usr/sbin/ndd -set /dev/udp udp_recv_hiwat 65536

In Solaris, a process has the means to set the size of its
UDP receive buffer by making a specific OS call.
If the code does not do that (it is likely that the means to make
this setting is OS-specific, and extra trouble to implement in portable 
code),
then you can control the buffer size by setting the default used when a
process is started, but by doing so, this becomes a system-wide setting,
applying to all new processes.

A sizable buffer can handle a short burst, but if the an incoming
rate higher than the daemon can handle lasts for any significant
amount of time, the buffer has to fill, and enlarging it will not solve
the problem.

I've adjusted this setting on DNS/bind servers, but I don't believe 
I've ever done
this to a DHCP server: the ISC daemon is so slow that it hardly seems
possible to help it through any serious attack by this method.
The ISC daemon, as is required by the protocol spec,
carefully records every lease, to assure that a daemon crash wouldn't
result in clients stepping on each others toes attempting to use the
same IP address.  My understanding is that this severely limits how
fast it handles things.

On Apr 21, 2008, at 7:18 AM, fadey wrote:

> Hi, everyone
>
> I was wondering what happens when there are too many dhcp requests
> comming? How many per second does one need to cause a DOS? Is there 
> some
> sort of a buffer inside dhcpd that queues the incomming requests? Is 
> (if
> there is one) it's size configurable?
>
> Thanks in advance
>
>

More information about the dhcp-users mailing list