From owner-freebsd-hackers  Tue Feb 18  5:31:15 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D8B3437B401
	for <freebsd-hackers@freebsd.org>; Tue, 18 Feb 2003 05:31:13 -0800 (PST)
Received: from smtp.mailbox.co.uk (smtp.mailbox.co.uk [195.82.125.32])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C69CE43FA3
	for <freebsd-hackers@freebsd.org>; Tue, 18 Feb 2003 05:31:12 -0800 (PST)
	(envelope-from wayne@penguinpowered.org.uk)
Received: from [212.18.244.168] (helo=marvin.penguinpowered.org.uk)
	by smtp.mailbox.co.uk with esmtp (Exim 3.36 #1)
	id 18l7q3-0000Ad-00
	for freebsd-hackers@freebsd.org; Tue, 18 Feb 2003 13:31:11 +0000
Received: from waynep by marvin.penguinpowered.org.uk with local (Exim 3.33 #1)
	id 18l7zk-000OKc-00
	for freebsd-hackers@freebsd.org; Tue, 18 Feb 2003 13:41:12 +0000
Date: Tue, 18 Feb 2003 13:41:12 +0000
From: Ian Watkinson <ian.watkinson@ehsbrann.com>
To: freebsd-hackers@freebsd.org
Subject: DHCP Client DoS
Message-ID: <20030218134112.GA93504@marvin.penguinpowered.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-System: FreeBSD i386 with kernel 4.7-RC
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi all,

We've recently found a problem with dhclient that can DoS a DHCP
server. If you have schg flags set on /etc/resolv.conf to stop dhcp
overwriting your existing nameservers, the problem occurs.

Basically, the client just keeps rejecting the IP details it has
received from the server and requesting another. The server marks the
record as used, and moves onto the next one. Over the course of a couple
of minutes, you can pretty much mark an entire class C as in use. 

If you remove the schg flag from resolv.conf, this problem does not
happen. 

This has been tested from a FreeBSD 5 client against a Windows NT server
and a FreeBSD 4.7 server with the same results. 

-- 
Ian Watkinson

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message