From owner-freebsd-hackers Tue Feb 18 5:44:11 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDACE37B401 for ; Tue, 18 Feb 2003 05:44:07 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id E46F043F85 for ; Tue, 18 Feb 2003 05:44:06 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.6/8.12.6) with ESMTP id h1IDiLVw096934; Tue, 18 Feb 2003 14:44:21 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.6/8.12.6/Submit) id h1IDiLGt096933; Tue, 18 Feb 2003 14:44:21 +0100 (CET) Date: Tue, 18 Feb 2003 14:44:21 +0100 From: Stijn Hoop To: Ian Watkinson Cc: freebsd-hackers@freebsd.org Subject: Re: DHCP Client DoS Message-ID: <20030218134421.GC94966@pcwin002.win.tue.nl> References: <20030218134112.GA93504@marvin.penguinpowered.org.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe" Content-Disposition: inline In-Reply-To: <20030218134112.GA93504@marvin.penguinpowered.org.uk> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --DBIVS5p969aUjpLe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 18, 2003 at 01:41:12PM +0000, Ian Watkinson wrote: > We've recently found a problem with dhclient that can DoS a DHCP > server. If you have schg flags set on /etc/resolv.conf to stop dhcp > overwriting your existing nameservers, the problem occurs. >=20 > Basically, the client just keeps rejecting the IP details it has > received from the server and requesting another. The server marks the > record as used, and moves onto the next one. Over the course of a couple > of minutes, you can pretty much mark an entire class C as in use.=20 >=20 > If you remove the schg flag from resolv.conf, this problem does not > happen.=20 While this is of course very bad, you do know about the 'supersede' command in dhclient.conf to override any DHCP-supplied values? Something like interface "fxp0" { supersede domain-name-servers 127.0.0.1; } should work. That should at least solve the 'overwriting /etc/resolv.conf' problem. man dhclient.conf for details. --Stijn --=20 Fairy tales do not tell children that dragons exist. Children already know dragons exist. Fairy tales tell children the dragons can be killed. -- G.K. Chesterton --DBIVS5p969aUjpLe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Uji1Y3r/tLQmfWcRApDKAJ0UNnzi6Brl3PoAMctTp0E7qOmetACeIiCR rwi2eq7FEDazFpOSZGw8r8g= =r4s5 -----END PGP SIGNATURE----- --DBIVS5p969aUjpLe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message