Re: [Kea-users] Duplicate Addresses, address pool exhaustion with DHCPDECLINE flood

Thu, 18 Apr 2019 06:17:25 -0700 

Hi all,
I agree with Kari; it could be useful to have an option which permits to ignore the DHCP DECLINE messages like the one present in ISC dhcpd ("declines" keyword in config file: https://www.isc.org/wp-content/uploads/2018/02/dhcp44.html). Another option it could be to implement on server side a DHCP DECLINE per source MAC rate limiting (or a kind of Fail2ban for DECLINE messages) because usually the L2 switch support DHCP rate limiting accordint to the switch port. 

Thanks,
Alberto

Il 18/04/2019 09:08, Mohammed Khallaf ha scritto:

Hello Kari,


I'm not sure about Kea, Kea hooks, or if someone is going to write a 
Kea hook for that, but there is no DHCP server that I know about that 
implements this outside-of-the-box. Actually, most or all effective 
solutions in network-originating layer 2 attacks are basically built 
on networking devices software and/or network monitoring software, or 
the least: manual troubleshooting.



If your switching equipment has a feature to help, then use it. If 
not, you can set a network monitoring software that analyzes DHCP 
DISCOVER messages and alert you if the rate from a specific MAC is 
abnormal, or the general rate on the network is abnormal. SolarWinds 
and PRTG come to mind.


--
MK



On Wed, Apr 17, 2019 at 2:56 PM Kari Karvonen 
<[email protected] <mailto:[email protected]>> wrote:


    Hello

    If there is faulty DHCP-client on a network that keeps requesting IP's
    and after receiveing IP-offer client sends DHCPDECLINE and DHCP-server
    marks IP-address as declined for 24 hours. If client keeps repeating
    this, address after address will be marked as declined and soon entire
    DHCP-pool is exhausted.

    I looked Kea 1.5.0 user guide and found that it is possible to shorted
    decline time

      "decline-probation-period": 3600

    But is there something else on dhcp-server side to prevent this
    kind of
    behaviour?


    -- 
    Kari Karvonen

    Network specialist
    +358445557360
    www.kasenet.fi <http://www.kasenet.fi>
    _______________________________________________
    Kea-users mailing list
    [email protected] <mailto:[email protected]>
    https://lists.isc.org/mailman/listinfo/kea-users


_______________________________________________
Kea-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/kea-users

_______________________________________________
Kea-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/kea-users






















					Reply via email to