Dhclient makes system unresponsive with very short leases

Simon Matter simon.matter at invoca.ch
Wed May 6 14:02:44 UTC 2009


I've been hit by an issue running a RHEL5 system on a GPRS/UMTS/HDSPA link
which gives out very short DHCP leases. I have patched my dhcp RPM and
filed a bugzilla entry at RedHat.
However the issue seems to exist with all ISC dhcp version which is why I
post here as well. This is what I posted to RedHat's bugzilla. The patch I
used to fix it for me is also attached there

Description of problem:
When a system running dhclient gets a very short lease, it goes completely
crazy and it looks like kind of a DOS.

Version-Release number of selected component (if applicable):
Note: all ISC dhcp versions seem affected, I have checked dhcp-4.1.1b1 and it
seems to do exactly the same.

How reproducible:

Steps to Reproduce:
1. Configure a dhcp server with 'dhcp-lease-time 2'
2. Start 'dhclient' on a client

Actual results:
The client tries to renew it's lease in a loop as fast as it can. The network
connection becomes almost unusable and the system becomes almost
Of course dhclient floods the clients log and may quickly fill the /var
filesystem. The system spends much time running dhclient-script for every
request. The whole thing looks like a DOS.
As a side effect the same log flooding happens on the server - but he gets
he deserves.

Expected results:
dhclient should add a sanity check to make sure it doesn't bring the system
down when getting short leases. The OpenBSD and other BSD folks have done so
and they seems to live well with it:

Additional info:
AFAIK DHCP doesn't define a minimum lease time. However, it's not good that a
badly configured DHCP server can melt down it's clients so easy. I have seen
this kind of 2 second leases on mobile broadband networks
usually get leases of about 300 seconds but from time to time it is
reduced to
2 seconds for whatever reason.
If, in a large corporat network, someone is able to run it's own DHCP server
and configures 'dhcp-lease-time 2' on it, he may be able to make a lot of
machines unusable very quickly. It just looks too easy to me.
Attached patch derived from OpenBSD uses a minimum of 60 seconds for it's
which means it starts renewing it every ~27 seconds.


More information about the dhcp-users mailing list