Limit DHCP requests with iptables - problem: Router

Tue Feb 8 21:57:16 UTC 2011

Hello,

On 8 February 2011 08:32, Jürgen Dietl <juergen.dietl at googlemail.com> wrote:
> Hello again,
>
> many thanx for all your answers. English is not my native language but I
> will try best  as I can to point out one particular part of my problem.
>
> I have about 30 K Clients. In case of a client error where the Client start
> spamming the server with DHCP requests I dont know which Client it is. It
> can be any client in the network. So I dont know the client´s MAC address.
> The 2nd problem is that the clients are mostly not in the same network. So I
> use an IP-helper on the router and the client has the MAC address of the
> router in its MAC-field.
>
> The only place where you can see the clients real mac-address is in the dhcp
> header.
>
> So I look for a solution that dynamically looks in every packet - especially
> in the dhcp header - that arrives at the server and prohibit that there come
> too many dhcp requests from the same machine. In this case the server should
> ignore any packet from this client - which can be any client of the 30 K I
> mentioned before. The easiest way would be that intelligent is in the isc
> dhcp server because the server knows the real client address. But this
> server has no possibility of traffic control - except reducing the general
> rate which would limit my dhcp server in total.
>
> So I cannot work with a fix client address.
>
> I dont know if its true but I was told that iptables is so intelligent that
> you can limit a traffic that comes from the same mac all the time. So you
> can limit flooding from the same host.
>
> Hope this makes my problem a bit clearer.
>

I guess you cannot achieve what you want with iptables alone as they
are implemented in the kernel.

I suggest you take a somewhat dynamic approach.

The first thing to do would be to watch the rate of dhcp packets under
usual conditions and when a client starts to spam your server.

You should determine a threshold above which you take action.

The action will be that you export dhcp packets (either through
nfqueue or through logging), analyze those packets by a program you
write that determines the offending client, and insert a rule that
allows that particular client to send only few packets to the server
(rate limit by matching the offending mac address in the dhcp packet)
or blocks it entirely.

This is not exactly simple but it might be your only option if your
server is really overloaded and you cannot split the network. After
blocking the malfunctioning client (on the dhcp server or better yet
on one of your routers) the server should recover, possibly after a
short delay required to capture and analyze enough packets to
determine what client should be blocked.

You might need to process all dhcp packets coming to your server if
the rate increase during client malfunction is not noticeable.

An alternate approach would be to extend hashlimit to accept arbitrary
part of the packet as the key for rate limiting. It may actually
already accept string key, the list of accepted modes seems open-ended
in the iptables man page.

HTH

Michal