Date: Tue, 18 Feb 2003 14:44:21 +0100 From: Stijn Hoop <stijn@win.tue.nl> To: Ian Watkinson <ian.watkinson@ehsbrann.com> Cc: freebsd-hackers@freebsd.org Subject: Re: DHCP Client DoS Message-ID: <20030218134421.GC94966@pcwin002.win.tue.nl> In-Reply-To: <20030218134112.GA93504@marvin.penguinpowered.org.uk> References: <20030218134112.GA93504@marvin.penguinpowered.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Tue, Feb 18, 2003 at 01:41:12PM +0000, Ian Watkinson wrote:
> We've recently found a problem with dhclient that can DoS a DHCP
> server. If you have schg flags set on /etc/resolv.conf to stop dhcp
> overwriting your existing nameservers, the problem occurs.
>
> Basically, the client just keeps rejecting the IP details it has
> received from the server and requesting another. The server marks the
> record as used, and moves onto the next one. Over the course of a couple
> of minutes, you can pretty much mark an entire class C as in use.
>
> If you remove the schg flag from resolv.conf, this problem does not
> happen.
While this is of course very bad, you do know about the 'supersede'
command in dhclient.conf to override any DHCP-supplied values?
Something like
interface "fxp0" {
supersede domain-name-servers 127.0.0.1;
}
should work.
That should at least solve the 'overwriting /etc/resolv.conf' problem.
man dhclient.conf for details.
--Stijn
--
Fairy tales do not tell children that dragons exist. Children already
know dragons exist. Fairy tales tell children the dragons can be
killed.
-- G.K. Chesterton
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+Uji1Y3r/tLQmfWcRApDKAJ0UNnzi6Brl3PoAMctTp0E7qOmetACeIiCR
rwi2eq7FEDazFpOSZGw8r8g=
=r4s5
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030218134421.GC94966>