Limit DHCP requests with iptables - problem: Router

Ingen Schenau, Jeroen van (ICTS) j.vaningenschenau at utwente.nl
Tue Feb 8 12:22:04 UTC 2011


Hi,

> So I look for a solution that dynamically looks in every packet -
> especially in the dhcp header - that arrives at the server and
> prohibit that there come too many dhcp requests from the same machine.
> In this case the server should ignore any packet from this client -
> which can be any client of the 30 K I mentioned before. The easiest
> way would be that intelligent is in the isc dhcp server because the
> server knows the real client address. But this server has no
> possibility of traffic control - except reducing the general rate
> which would limit my dhcp server in total.
> 
> So I cannot work with a fix client address. 
> 
> I dont know if its true but I was told that iptables is so intelligent
> that you can limit a traffic that comes from the same mac all the
> time. So you can limit flooding from the same host.
> 
> Hope this makes my problem a bit clearer.

In essence, you want to inspect the packet beyond the TCP or UDP header
and rate-limit packets based on a specific field. I'm no iptables
expert, but I don't see a way to accomplish that.

With iptables and ebtables you can act on almost anything from Layer2
fields up to Layer4 fields. For example, rate limiting in iptables seems
to be possible per connection. A connection is defined by the unique
combination of source ip/port and destination ip/port. As far as I know,
with iptables and ebtables it's not possible to change "what defines a
connection". So you can't use information that's contained deeper in the
packet.

While I'd be very interested in a solution (we've had DHCP problems as
well, when a broken client starts to send out DHCPDISCOVERs at > 1kpps),
I don't see one yet with the tools that were mentioned.

By the way, the iptables "hashlimit" match extension seems to come
closest to what you want to achieve; if --hashlimit-mode could take an
argument to match specific bytes in a packet, that might do the trick. I
leave it up to real programmers to decide whether that's feasible and
what the implications for CPU load / throughput would be ;)


Regards,

Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands





More information about the dhcp-users mailing list