security impact of accepting dhcp declines
Alexandre Bezroutchko
abb at gremwell.com
Thu Oct 21 11:51:12 UTC 2010
Hello,
I wonder if somebody could clarify how DHCP server will behave when somebody
tries to exhaust its pool by abusing DHCPDECLINE messages. The manpages for
dhcpcd.conf says the following:
...
The declines keyword
allow declines;
deny declines;
ignore declines;
The DHCPDECLINE message is used by DHCP clients to indicate that
the
lease the server has offered is not valid. When the server receives
a
DHCPDECLINE for a particular address, it normally abandons
that
address, assuming that some unauthorized system is using it. *
Unfortu-
* *nately, a malicious or buggy client can, using DHCPDECLINE
messages,
* *completely exhaust the DHCP server's allocation pool*. The server
will
reclaim these leases, but while the client is running through the
pool,
it may cause serious thrashing in the DNS, and it will *also cause
the
* *DHCP server to forget old DHCP client address allocations*.
The declines flag tells the DHCP server whether or not to honor
DHCPDE-
CLINE messages. If it is set to deny or ignore in a particular
scope,
the DHCP server will not respond to DHCPDECLINE messages.
...
I don't get the part about trashing DNS. Does this refer to the case when
DNS updates are on?
And the statement about reclaiming these leases, but forgetting old DHCP
client allocations... Will DHCP server start throwing away existing leases
when the pool get exhausted?
Any input and/or reference to the official docs relevant to my question are
greatly appreciated.
Best regards,
Alexandre Bezroutchko
www.gremwell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20101021/97b7963b/attachment.html>
More information about the dhcp-users
mailing list