How Somebody Helped Kill dhcpd on Our Network

Tim Peiffer peiffer at
Mon Jul 31 14:41:38 UTC 2006

We used to have a problem with rogue servers when the big marketing push 
for NAT routers and wireless complete with DHCP began hitting the 
street.   Since then, we have placed filters on the edge ports to deny 
DHCP server traffic.  Now we only have an issue if a new server pops 
up.  The clients can't get to their server until we remove the filter 
from the server port.

This isn't rate limiting, but it is quite effective at handling the 
original source of the problem

In Cisco parlance:

interface G1/0/1
  ip access-group No_DHCP_SERVER in
ip access-list extended Access_IN
  deny udp any eq bootps any log
  permit ip any any

Tim Peiffer

Darren wrote:
> Martin,
> I suggest Vlans.  Set up as many Vlans as you can and separate the user 
> traffic.  The rogue DHCP server may not have been malicious in nature.  
> All someone has to do is hook a linksys router up backwards and this 
> will happen.  Its worse when all 10,000 users are in the same broadcast 
> domain.  If it was one vlan of 253 users or something, the damage would 
> have been minimal.  The rogue DHCP server would not have seen the vast 
> majority of user traffic, and therefore would not have been able to 
> respond to it with DHCPNAK.
> Martin McCormick wrote:
>> 	We recently had our dhcp V3.0.3 system crash or, I should
>> say, crashed by a denial-of-service scheme in which the miscreant
>> ran something on his/her computer that behaved like a dhcp server
>> enough to send DHCPNAK's to every dhcp request it saw on the
>> VLAN.  This made every client send more traffic to the real dhcp
>> server and apparently caused the 1-gig processor with 1 gig of
>> RAM to consume all available memory.  For 3 minutes, it generated
>> about 2,500 "out of memory" messages and then dhcpd finally
>> exited with a 11) SIGSEG and a core dump.  Good old FreeBSD unix
>> is pretty bullet-proof, but this was more than the box could
>> handle.  The platform continued to operate properly afterwards,
>> but dhcpd had to be restarted again.
>> 	We are in the process of instituting dhcp failover with a
>> second server although I suspect that this situation would have
>> added maybe another few minutes to the mayhem before it, to,
>> succumbed to the hammering since failover isn't going to protect
>> against external attacks that hit both servers equally.
>> 	We are also installing switches with port snooping
>> capabilities as funds permit to kill off anybody who aspires to
>> run dhcpd on anything other than the proper dhcp server.  This
>> brings me to my question.
>> 	Is there any particular configuration parameter I can use
>> in dhcpd to make it rate-limit itself since it would have been a
>> much better outcome for it to come up for air, so to speak,
>> rather than crash and have to be restarted.
>> 	This particular event occurred on a Sunday afternoon on
>> the weekend that classes finished for the Summer semester and
>> campus activity was as near to dead as it ever gets around here
>> so we didn't even know anything was wrong for a period of time.
>> 	Our dhcp server gives service to around 10,000 clients of
>> several types and the platform it is on hardly breaks a sweat
>> even on the busiest days, but this was too much to handle.
>> Martin McCormick WB5AGZ  Stillwater, OK 
>> Systems Engineer
>> OSU Information Technology Department Network Operations Group

More information about the dhcp-users mailing list