Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Feb 2003 14:44:21 +0100
From:      Stijn Hoop <stijn@win.tue.nl>
To:        Ian Watkinson <ian.watkinson@ehsbrann.com>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: DHCP Client DoS
Message-ID:  <20030218134421.GC94966@pcwin002.win.tue.nl>
In-Reply-To: <20030218134112.GA93504@marvin.penguinpowered.org.uk>
References:  <20030218134112.GA93504@marvin.penguinpowered.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 

--DBIVS5p969aUjpLe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 18, 2003 at 01:41:12PM +0000, Ian Watkinson wrote:
> We've recently found a problem with dhclient that can DoS a DHCP
> server. If you have schg flags set on /etc/resolv.conf to stop dhcp
> overwriting your existing nameservers, the problem occurs.
>=20
> Basically, the client just keeps rejecting the IP details it has
> received from the server and requesting another. The server marks the
> record as used, and moves onto the next one. Over the course of a couple
> of minutes, you can pretty much mark an entire class C as in use.=20
>=20
> If you remove the schg flag from resolv.conf, this problem does not
> happen.=20

While this is of course very bad, you do know about the 'supersede'
command in dhclient.conf to override any DHCP-supplied values?

Something like

interface "fxp0" {
	supersede domain-name-servers 127.0.0.1;
}

should work.

That should at least solve the 'overwriting /etc/resolv.conf' problem.

man dhclient.conf for details.

--Stijn

--=20
Fairy tales do not tell children that dragons exist. Children already
know dragons exist. Fairy tales tell children the dragons can be
killed.
		-- G.K. Chesterton

--DBIVS5p969aUjpLe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+Uji1Y3r/tLQmfWcRApDKAJ0UNnzi6Brl3PoAMctTp0E7qOmetACeIiCR
rwi2eq7FEDazFpOSZGw8r8g=
=r4s5
-----END PGP SIGNATURE-----

--DBIVS5p969aUjpLe--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030218134421.GC94966>