From owner-freebsd-hackers Tue Feb 18 7:19: 1 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B856C37B401 for ; Tue, 18 Feb 2003 07:18:59 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8595043F85 for ; Tue, 18 Feb 2003 07:18:58 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.6/8.12.6) with ESMTP id h1IFJDVw097634; Tue, 18 Feb 2003 16:19:13 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.6/8.12.6/Submit) id h1IFJDU3097633; Tue, 18 Feb 2003 16:19:13 +0100 (CET) Date: Tue, 18 Feb 2003 16:19:13 +0100 From: Stijn Hoop To: Volker Stolz Cc: Ian Watkinson , freebsd-hackers@freebsd.org Subject: Re: DHCP Client DoS Message-ID: <20030218151913.GD97157@pcwin002.win.tue.nl> References: <20030218134112.GA93504@marvin.penguinpowered.org.uk> <20030218151114.GA2873@i2.informatik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM" Content-Disposition: inline In-Reply-To: <20030218151114.GA2873@i2.informatik.rwth-aachen.de> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --ZfOjI3PrQbgiZnxM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 18, 2003 at 04:11:14PM +0100, Volker Stolz wrote: > In local.freebsd-hackers, you wrote: > > We've recently found a problem with dhclient that can DoS a DHCP > > server. If you have schg flags set on /etc/resolv.conf to stop dhcp > > overwriting your existing nameservers, the problem occurs. > > Basically, the client just keeps rejecting the IP details it has > > received from the server and requesting another. The server marks the > > record as used, and moves onto the next one. Over the course of a couple > > of minutes, you can pretty much mark an entire class C as in use.=20 >=20 > The problem of read-only resolv.conf is already documented in the PR > database and I think recently somebody started thinking about a solution. > Check http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dbin/38778 >=20 > That the server runs out of IPs is his probably his own fault. It > should be configured to not eat up all IPs when a host which already > has obtained a lease requests another one but simply hand out the old > one or deny the request... >=20 > Stijn: Could you add your suggestion to the above PR? Well I could but it's a workaround -- dhclient should imho be made not to fail when it cannot write /etc/resolv.conf. That's a separate issue from being able to set the contents of the newly written resolv.conf, which is essentially what the supersede option does. All I was trying to say was that there already is a solution for keeping your own nameservers in /etc/resolv.conf. That said, I will add some words to this effect to the PR. --Stijn --=20 The rain it raineth on the just And also on the unjust fella, But chiefly on the just, because The unjust steals the just's umbrella. --ZfOjI3PrQbgiZnxM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Uk7xY3r/tLQmfWcRAimUAJwMQW3+lC3a2Dte+c4ewaQPhhqaIACgj6iB P+wUkDHdiqHQezA0aSKgZpM= =YrnR -----END PGP SIGNATURE----- --ZfOjI3PrQbgiZnxM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message