Denial of service mitigation techniques? What do you do?
Elliot Finley
efinley.lists at gmail.com
Thu Apr 7 15:27:54 UTC 2011
class "thugs" {
match if substring(hardware, 1, 6) = 08:10:74:2f:21:83;
}
then later
subnet x.y.z.0 netmask 255.255.255.0 {
option routers x.y.z.1;
pool {
range x.y.z.2 x.y.z.254;
deny members of "thugs";
deny dynamic bootp clients;
}
}
On Tue, Apr 5, 2011 at 2:07 PM, Paul Keck <pkeck at uga.edu> wrote:
> Hello, we're using Internet Systems Consortium DHCP Server V3.0.5-RedHat in
> a campus environment.
>
> The other day one machine in a random building started pounding the heck
> out
> of the DHCP server, to the extent that our monitoring system was unable to
> obtain a lease. So, even though we could see that many leases were being
> fulfilled, I know some must not have been.
>
> Breakdown per minute of log lines:
>
> feta.cc# cat dhcpd.7 |grep '00:1a:a0:71:2a:72'|cut -c-12|uniq -c
> 4 Mar 29 14:46
> 171 Mar 29 14:47
> 2697 Mar 29 14:48
> 2718 Mar 29 14:49
> 2520 Mar 29 14:50
> 2746 Mar 29 14:51
> 2677 Mar 29 14:52
> 2712 Mar 29 14:53
> 2690 Mar 29 14:54
> 2512 Mar 29 14:55
> 2684 Mar 29 14:56
> 2703 Mar 29 14:57
> 2694 Mar 29 14:58
> 2681 Mar 29 14:59
> 2478 Mar 29 15:00
> 2753 Mar 29 15:01
> 2717 Mar 29 15:02
> 2750 Mar 29 15:03
> 2688 Mar 29 15:04
> 2572 Mar 29 15:05
> 2666 Mar 29 15:06
> 2761 Mar 29 15:07
> 1402 Mar 29 15:08
> 8 Mar 29 15:09
> 8 Mar 29 15:18
> 2 Mar 29 15:22
> 6 Mar 29 15:23
> 4 Mar 29 15:28
> 4 Mar 29 15:29
> 5 Mar 29 15:44
> 1 Mar 29 15:46
> 2 Mar 29 15:48
>
> Luckily it stopped on its own, but unluckily I was at lunch and didn't
> catch
> it in the act. It was just one machine that would either take the OFFER
> and
> then DISCOVER again, or not bother taking the OFFER and then DISCOVER
> again.
>
> This has happened a few times over the years and causes consternation.
> What
> do you folks do to mitigate this threat? I trolled the archive and see
> that
> some people get their networking equipment to throttle requests. I'll
> pursue that with our Foundry/Brocade gear but if that doesn't pan out, what
> else? I can see setting up something to look for this situation in the
> logs
> and block any requesting IP with more DISCOVERs than I like, but in this
> case it would blackhole an entire building since the router is forwarding
> the requests. Has anyone done that? Any better ideas?
>
> Also, to the programmers- is DHCPDISCOVER the thing to watch? What is the
> best metric for the "damage" a noisy client is causing? OFFERs? ACKs?
>
> Also, my management has taken us over relatively recently and is all about
> off-the-shelf solutions and outsourcing. Do any of the appliances that use
> ISC DHCPD (or others for that matter) have a good solution to this problem?
>
> Thanks!
>
> --
> Paul Keck pkeck at uga.edu
> University of Georgia
> EITS Network Operations mailto:pkeck at ediacara.org
> --Opinions mine.-- Go fighting anomalocaridids!!!
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110407/a628d67f/attachment.html>
More information about the dhcp-users
mailing list