DHCP Client DoS
Hi all, We've recently found a problem with dhclient that can DoS a DHCP server. If you have schg flags set on /etc/resolv.conf to stop dhcp overwriting your existing nameservers, the problem occurs. Basically, the client just keeps rejecting the IP details it has received from the server and requesting another. The server marks the record as used, and moves onto the next one. Over the course of a couple of minutes, you can pretty much mark an entire class C as in use. If you remove the schg flag from resolv.conf, this problem does not happen. This has been tested from a FreeBSD 5 client against a Windows NT server and a FreeBSD 4.7 server with the same results. -- Ian Watkinson To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: DHCP Client DoS
On Tue, Feb 18, 2003 at 01:41:12PM +, Ian Watkinson wrote: We've recently found a problem with dhclient that can DoS a DHCP server. If you have schg flags set on /etc/resolv.conf to stop dhcp overwriting your existing nameservers, the problem occurs. Basically, the client just keeps rejecting the IP details it has received from the server and requesting another. The server marks the record as used, and moves onto the next one. Over the course of a couple of minutes, you can pretty much mark an entire class C as in use. If you remove the schg flag from resolv.conf, this problem does not happen. While this is of course very bad, you do know about the 'supersede' command in dhclient.conf to override any DHCP-supplied values? Something like interface fxp0 { supersede domain-name-servers 127.0.0.1; } should work. That should at least solve the 'overwriting /etc/resolv.conf' problem. man dhclient.conf for details. --Stijn -- Fairy tales do not tell children that dragons exist. Children already know dragons exist. Fairy tales tell children the dragons can be killed. -- G.K. Chesterton msg39995/pgp0.pgp Description: PGP signature
Re: DHCP Client DoS
In local.freebsd-hackers, you wrote: We've recently found a problem with dhclient that can DoS a DHCP server. If you have schg flags set on /etc/resolv.conf to stop dhcp overwriting your existing nameservers, the problem occurs. Basically, the client just keeps rejecting the IP details it has received from the server and requesting another. The server marks the record as used, and moves onto the next one. Over the course of a couple of minutes, you can pretty much mark an entire class C as in use. The problem of read-only resolv.conf is already documented in the PR database and I think recently somebody started thinking about a solution. Check http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/38778 That the server runs out of IPs is his probably his own fault. It should be configured to not eat up all IPs when a host which already has obtained a lease requests another one but simply hand out the old one or deny the request... Stijn: Could you add your suggestion to the above PR? -- http://www-i2.informatik.rwth-aachen.de/stolz/ *** PGP *** S/MIME rage against the finite state machine To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: DHCP Client DoS
On Tue, Feb 18, 2003 at 04:11:14PM +0100, Volker Stolz wrote: In local.freebsd-hackers, you wrote: We've recently found a problem with dhclient that can DoS a DHCP server. If you have schg flags set on /etc/resolv.conf to stop dhcp overwriting your existing nameservers, the problem occurs. Basically, the client just keeps rejecting the IP details it has received from the server and requesting another. The server marks the record as used, and moves onto the next one. Over the course of a couple of minutes, you can pretty much mark an entire class C as in use. The problem of read-only resolv.conf is already documented in the PR database and I think recently somebody started thinking about a solution. Check http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/38778 That the server runs out of IPs is his probably his own fault. It should be configured to not eat up all IPs when a host which already has obtained a lease requests another one but simply hand out the old one or deny the request... Stijn: Could you add your suggestion to the above PR? Well I could but it's a workaround -- dhclient should imho be made not to fail when it cannot write /etc/resolv.conf. That's a separate issue from being able to set the contents of the newly written resolv.conf, which is essentially what the supersede option does. All I was trying to say was that there already is a solution for keeping your own nameservers in /etc/resolv.conf. That said, I will add some words to this effect to the PR. --Stijn -- The rain it raineth on the just And also on the unjust fella, But chiefly on the just, because The unjust steals the just's umbrella. msg39997/pgp0.pgp Description: PGP signature