SV: DISCOVER bursts

Simon Hobson dhcp1 at thehobsons.co.uk
Mon Jan 8 21:37:21 UTC 2007


Lars Jacobsen wrote:

>So does this mean that if a malicius user /faulty client keeps 
>requesting IP address it would drain the pool - for a 2 minute 
>period -, even thoug the protechtion against this has been made ?
>And its not possible to se these "temporary" leases anywhere or ?

Fundamentally this has always been a potential risk with DHCP, if 
someone either through bad programming, or more likely malicious 
intent, whites a client that keeps making requests under different 
client-id and/or mac address combinations then it will exhaust a dhcp 
servers pool. On an ethernet network there is little scope for 
protecting against this since the server has to take it on trust that 
the mac address and/or client id are genuine.

In the case of cable modems, or high end ethernet switches, you can 
apply some protection through the lease limit attribute to a spawning 
class - however it does look like you have found a way to cheat this.

However, I think the dangers are limited. Firstly someone has to be 
connected to your network, so it's not a general remote attack 
vector. Also, through the circuit-id I believe you will know which 
subscriber circuit the requests come through so you know who to send 
the compensation bill to and/or who to ring up and give a bollocking 
to and/or whose service to switch off ! Lastly, to be any any real 
effect the attack would have to be continuous so as to soak up any 
expiring leases - and even then it would only affect devices seeking 
to get a new lease rather than renew an existing one - ie it cannot 
cause other customers to get disconnected.

Other than that it does carry another risk which is also present in 
the general case - that if a determined enough client makes enough 
requests then you could potentially cause a denial of service attack 
by filling up the servers disk.


More information about the dhcp-users mailing list