security impact of accepting dhcp declines

Alexandre Bezroutchko abb at
Thu Oct 21 11:51:12 UTC 2010


I wonder if somebody could clarify how DHCP server will behave when somebody
tries to exhaust its pool by abusing DHCPDECLINE messages. The manpages for
dhcpcd.conf says the following:

      The declines keyword

       allow declines;
       deny declines;
       ignore declines;

      The DHCPDECLINE message is used by DHCP clients to  indicate  that
      lease the server has offered is not valid.   When the server receives
      DHCPDECLINE  for  a  particular  address,  it  normally  abandons
      address,  assuming that some unauthorized system is using it.  *
*       *nately, a malicious or buggy client can,  using  DHCPDECLINE
*       *completely exhaust the DHCP server's allocation pool*.   The server
      reclaim these leases, but while the client is running through the
      it  may  cause serious thrashing in the DNS, and it will *also cause
*       *DHCP server to forget old DHCP client address allocations*.

      The declines flag tells the DHCP server whether or not to honor
      CLINE messages.   If it is set to deny or ignore in a particular
      the DHCP server will not respond to DHCPDECLINE messages.

I don't get the part about trashing DNS. Does this refer to the case when
DNS updates are on?

And the statement about reclaiming these leases, but forgetting old DHCP
client allocations... Will DHCP server start throwing away existing leases
when the pool get exhausted?

Any input and/or reference to the official docs relevant to my question are
greatly appreciated.

Best regards,
Alexandre Bezroutchko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dhcp-users mailing list