DISCOVERY STORM DoS ?
Frank Bulk - iName.com
frnkblk at iname.com
Sat Jul 24 03:39:11 UTC 2010
I looked in our Moto manual and could not find an equivalent command. =(
Frank
From: dhcp-users-bounces+frnkblk=iname.com at lists.isc.org
[mailto:dhcp-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf Of
Keith Perry (perryk)
Sent: Tuesday, July 20, 2010 7:49 AM
To: Users of ISC DHCP
Subject: RE: DISCOVERY STORM DoS ?
The following command on the Cisco CMTS controls the number of DHCP
LEASEQUERY request messages that are sent for unknown IP addresses per each
service ID (SID) on an upstream:
cable source-verify leasequery-filter upstream
http://www.ciscosystems.cg/en/US/docs/ios/cable/command/reference/cbl_08_cab
le_s.html#wp1050476
<blocked::http://www.ciscosystems.cg/en/US/docs/ios/cable/command/reference/
cbl_08_cable_s.html#wp1050476>
Keith
_____
From: dhcp-users-bounces+keith.perry=sciatl.com at lists.isc.org
[mailto:dhcp-users-bounces+keith.perry=sciatl.com at lists.isc.org] On Behalf
Of Patricio Latini
Sent: Thursday, July 15, 2010 4:23 PM
To: frnkblk at iname.com; daniel at dgnetwork.com.br; 'Users of ISC DHCP'
Subject: RE: DISCOVERY STORM DoS ?
On the Arris C4 it is
configure cable proto-throttle dhcp
configure cable proto-throttle interval <INT>
configure cable proto-throttle max-burst <INT>
Patricio
From: Frank Bulk - iName.com [mailto:frnkblk at iname.com]
Sent: Thursday, July 15, 2010 1:02 AM
To: daniel at dgnetwork.com.br; 'Users of ISC DHCP'; Patricio Latini
Cc: dhcp-users at isc.org
Subject: RE: DISCOVERY STORM DoS ?
We have a Moto BSR64000, and I’ve never seen any DHCP rate-limiting, either.
Just a “max-hosts”.
Frank
From: dhcp-users-bounces+frnkblk=iname.com at lists.isc.org
[mailto:dhcp-users-bounces+frnkblk=iname.com at lists.isc.org] On Behalf Of
"Daniel D. Gonçalves"
Sent: Wednesday, July 14, 2010 12:29 PM
To: Patricio Latini
Cc: dhcp-users at isc.org
Subject: Re: DISCOVERY STORM DoS ?
My CMTS is a Cisco UBR 10K, but I didn't found information about rate
limit.
Patricio Latini escreveu:
Daniel, you should activate dhcp throttling in your CMTS. Advanced CMTSs
support rate limiting features that limit the quantity of DHCP
DISCOVERS/REQUESTSs in order to avoid this kind of DoS attacks
Patricio
From: dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org
[mailto:dhcp-users-bounces+p_latini=hotmail.com at lists.isc.org] On Behalf Of
"Daniel D. Gonçalves"
Sent: Monday, July 12, 2010 5:39 PM
To: dhcp-users at isc.org
Subject: DISCOVERY STORM DoS ?
I'm having the following problem, a client begins randomly sending a storm
of requests DISCOVERY, and DHCP responds with a OFFER, but nothing more than
that. These requests cause denial of service on DHCP. Even removing the MAC
from DHCP, the DISCOVERY continuing. I tried these versions V3.1.1 and
4.1.1-P1, both have the same problem.
The IP 10.40.0.1 is a Cisco CMTS with dhcp relay activated.
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPOFFER on 200.XX.XX.XX to 08:10:74:33:3a:af
(Router) via 10.14.0.1
Jul 12 12:03:03 gw dhcpd: DHCPDISCOVER from 08:10:74:33:3a:af (Router) via
10.14.0.1
Thanks.
Daniel
__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 5267 (20100710) __________
The message was checked by ESET Smart Security.
http://www.eset.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20100723/efd226e4/attachment.html>
More information about the dhcp-users
mailing list