DISCOVERY STORM DoS ?

Patricio Latini p_latini at hotmail.com
Tue Jul 13 00:12:23 UTC 2010 

Daniel, you should activate dhcp throttling in your CMTS. Advanced CMTSs
support rate limiting features that limit the quantity of DHCP
DISCOVERS/REQUESTSs in order to avoid this kind of DoS attacks

 

Patricio

 

From: dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org
[mailto:dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org] On Behalf Of
"Daniel D. Gonçalves"
Sent: Monday, July 12, 2010 5:39 PM
To: dhcp-users at isc.org
Subject: DISCOVERY STORM DoS ?

 

I'm having the following problem, a client begins randomly sending a storm
of requests DISCOVERY, and DHCP responds with a OFFER, but nothing more than
that. These requests cause denial of service on DHCP. Even removing the MAC
from DHCP, the DISCOVERY continuing. I tried these versions V3.1.1 and
4.1.1-P1, both have the same problem. 
The IP 10.40.0.1 is a Cisco CMTS with dhcp relay activated.

Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1

Thanks.

Daniel



__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________

The message was checked by ESET Smart Security.

http://www.eset.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20100712/f76c3e4e/attachment.html>

More information about the dhcp-users mailing list