DHCPREQUEST flooding

Alex Moen alexm at ndtel.com
Thu May 5 15:57:44 UTC 2016 

On 05/05/2016 09:51 AM, Patrick Trapp wrote:
> Do the 300-ish devices share anything in particular in their configurations? Is the configuration you shared pertinent to some of your culprits?

Good question, and one that I did not fully address in my original 
config. We're talking ISP customers here, in an aging, rural population. 
I am certain that 99% of these devices are factory config (and probably 
have never been updated) with the only change being a non-factory SSID 
and possibly WPA config (although many don't want a password on their 
wireless). As I did say, there are multiple generations of routers out 
there (Linksys, Cisco, Cisco-Linksys, Belkin), so that doesn't seem to 
indicate a particular model or firmware to target.

> Can you confirm that the ACK are reaching the devices?

We have confirmed that the ACK is being sent from the access gear out 
the customer's interface to the customer's device.  I can't confirm any 
further than that without actually going to the customer's premise and 
performing some captures.

> Do any of the devices lose their address entirely and have to be rebooted to get back on the network or is this issue literally only apparent to you and your logs?

We haven't had any customer complaints indicating that they are needing 
reboots.  It looks like it's only impacting the logs and not the 
customer's experience.


> ________________________________________
> From: dhcp-users-bounces at lists.isc.org [dhcp-users-bounces at lists.isc.org] on behalf of Alex Moen [alexm at ndtel.com]
> Sent: Thursday, May 05, 2016 9:40 AM
> To: dhcp-users at lists.isc.org
> Subject: DHCPREQUEST flooding
>
> I am running a 4.2.5 ISC DHCP server (up-to-date via Centos 7
> repository) for our ISP business.  We have around 7000 subscribers; most
> with an el-cheapo router, a few with no router at all.  Most of our
> customers are using a variant of Linksys router (Linksys, Cisco-Linksys,
> Belkin, etc) because that is what we provide if they ask for a router.
> However, this issue is not only a Linksys issue, as we are also seeing
> PCs exhibiting the same behavior.
>
> The issue is that we have a fairly large number of devices (around 300)
> that are issuing DHCPREQUESTs at extremely short intervals (the worst, a
> few second apart).  In the last 6 hours, some of these devices have
> REQUESTed over 2000 times.  They are all being ACKed.
>
> Is this a common problem that everyone sees, or do I have a config
> issue?  This has actually been going on for a long, long time, and I am
> just tired of the large log file sizes.  Since we're an ISP, we have to
> keep our logs for a few years time, so the log file size can become an
> issue.
>
> A typical network stanza looks like:
>
>           subnet 76.10.94.0 netmask 255.255.254.0 {
>           pool {
>                 authoritative;
>                 range 76.10.94.20 76.10.95.200;
>                 min-lease-time 129600;
>                 max-lease-time 259200;
>                 default-lease-time 259200;
>                 option subnet-mask 255.255.254.0;
>                 option broadcast-address 76.10.95.255;
>                 option routers 76.10.94.1;
>                 }
>           }
>
> Thanks for any input!!
>
> Alex
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

-- 
Alex Moen
NSTII
North Dakota Telephone Company
701-662-6481

More information about the dhcp-users mailing list