Limit DHCP requests with iptables - problem: Router

Jürgen Dietl juergen.dietl at googlemail.com
Tue Feb 8 07:32:51 UTC 2011 

Hello again,

many thanx for all your answers. English is not my native language but I
will try best  as I can to point out one particular part of my problem.

I have about 30 K Clients. In case of a client error where the Client start
spamming the server with DHCP requests I dont know which Client it is. It
can be any client in the network. So I dont know the client´s MAC address.
The 2nd problem is that the clients are mostly not in the same network. So I
use an IP-helper on the router and the client has the MAC address of the
router in its MAC-field.

The only place where you can see the clients real mac-address is in the dhcp
header.

So I look for a solution that dynamically looks in every packet - especially
in the dhcp header - that arrives at the server and prohibit that there come
too many dhcp requests from the same machine. In this case the server should
ignore any packet from this client - which can be any client of the 30 K I
mentioned before. The easiest way would be that intelligent is in the isc
dhcp server because the server knows the real client address. But this
server has no possibility of traffic control - except reducing the general
rate which would limit my dhcp server in total.

So I cannot work with a fix client address.

I dont know if its true but I was told that iptables is so intelligent that
you can limit a traffic that comes from the same mac all the time. So you
can limit flooding from the same host.

Hope this makes my problem a bit clearer.

thanx a lot,
cheers,
Juergen



2011/2/7 Juergen Northe <juergen.northe at googlemail.com>

> Since the DHCP requests are relayed through an udp-helper iptables
> rules are "crutches". If you do not want to leave this path, perhaps
> you can use shorewall and ask Tom Eastep for help.
> If your edge switches are 801.x capable you might have a look at
> freeradius where you can not only control network access via MAC but
> even push an ip-address with the accept packet. In this case you'll
> push your issue to the authenticator and the authenticaiton server. So
> your printer can only be a member of your network with a valid IP and
> this one he'll get at the entrance.
>
>
> 2011/2/7 Friesen, Don SSBC:EX <Don.Friesen at gov.bc.ca>:
> >
> >>>
> >>> That won't work because all his dhcp queries come with the same
> >>> MAC address - the router which is forwarding them.
> >>>
> >>>
> >>
> >>Then you might try adding a limit test and -j ACCEPT .
> >>
> >>--limit rate[/second|/minute|/hour|/day]
> >>Maximum average matching rate: specified as a number, with
> >>an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default
> >>is 3/hour.
> >>
> >>Dave
> >
> >   Periodically we had printers spam our servers with requests faster that
> the servers we were using at the time could respond to.  The solution was to
> block all traffic from the router for a few seconds.  Two or three seconds
> was all it took for the printers to reset.  Then the traffic was turned up
> again.  We did this manually on the router by removing the helper addresses.
>  So the rate limiting would be better, as automation good... yes :)
> >
> >   This was prior to our adopting ISC DHCP.  I haven't seen it since.  Our
> only issue now is that Corp Headquarters is enforcing a managed power-off
> overnight with an automated power-up at 7am.  When 30,000 machines turn on
> within a few seconds, the DHCP traffic is a bit excessive, and even our new
> ISC based servers can't keep up.  Any such rate limiting would play havoc
> with our DHCP service at that time of the day, as it already takes 30
> minutes to fully service all the machines.  And yes, we have suggested that
> they stagger the start-up, but it falls on deaf ears.
> >
> >
> > Don Friesen
> >
> > _______________________________________________
> > dhcp-users mailing list
> > dhcp-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
> --
>
>
>
> mit freundlichem Gruss
> Jürgen Northe
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110208/f1102764/attachment.html>

More information about the dhcp-users mailing list