Is there any protection mechanism for a spamming dhcp client?
Simon Hobson
dhcp1 at thehobsons.co.uk
Thu Feb 3 15:18:33 UTC 2011
John Hascall wrote:
>It would be nice if there was some sort of throttling mechanism
>built into dhcpd, but for now what we are doing is processing
>the syslog file every 15 minutes looking for "dhcp pigs" as we
>call them. Our dhcpd.conf is built from a DB, so when we find
>a piggie, we put an entry in the DB which ends up as an entry
>like this in the config file:
>
># pig 80:fb:32:8f:d5:7e
>host P80fb328fd57e {
> hardware ethernet 80:fb:32:8f:d5:7e;
> ignore booting;
>}
I wonder if there is any mileage in writing a fail2ban module to handle this ?
Fail2ban tails a log file, matching against expressions for certain
things (such as failed logins). If there are more than a set number
in a set period then it executes an action which can include adding
an iptables rule to drop packets from the source for a set period.
Dropping packets at the netfilter layer would reduce processing
overhead in ignoring the packets. As a secondary effect, I could see
it being useful for very large installations that might suffer from a
huge number of requests after (for example) a widespread power
outage. If the server were swamped, then it might be possible to get
fail2ban (or a similar mechanism) to block clients that make too many
requests - with the effect that the overall request rate would drop
for a while and the most aggressive clients would get held off,
hopefully until the storm subsides.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users
mailing list