Limit DHCP requests with iptables - problem: Router

Jürgen Dietl juergen.dietl at googlemail.com
Wed Feb 9 07:25:56 UTC 2011 

Hello,

ok lets finish. It cannot be done.

I understand that it is possible to find out the real mac address with
iptables (that one in the dhcp header) but I dont know what client will be
mad in future. So there is no intelligence that makes ip table reduce any
dhcp packet flood from an unknown client. And fix the offending client is
also no option because I dont know what client it will be. The one who made
the trouble is already out of the game.

The only solution would be that the dhcp server itsself would have some
intelligence that it knows that it is an unnormal behavior for  a client to
ask thousand times per second for an ip address. Maybe ISC will implement
such a thing in future.

thanx a lot and have nice day,
cheers,
Juergen


2011/2/9 José Queiroz <zekkerj at gmail.com>

>
>
> 2011/2/8 Alex Bligh <alex at alex.org.uk>
>
>
>>
>> --On 8 February 2011 08:17:51 +0000 Simon Hobson <dhcp1 at thehobsons.co.uk>
>> wrote:
>>
>>  My understanding is that the recent module for iptables can do this. But
>>> I'm not sure if it can track arbitrary parts of the packet,
>>>
>>
>> My understanding is it can (*), and there have been various examples
>> (including yours) of how to do this. I'm not quite sure why people
>> are claiming iptables is only capable of examining ip and "tcp/udp"
>> headers, particularly when others have provided working examples.
>>
>>
> From the documentation, it seems that it cannot --- "recent" only tracks
> source and destination address of marked packets. The trick is only track
> the right packets...
>
>
>> I'd repeat that in terms of maintainability, it might be easier to
>> patch dhcpd, but for a small number of hosts, it appears eminently
>> feasible.
>>
>>
> Or fix the offending client...
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110209/a3c125be/attachment.html>

More information about the dhcp-users mailing list