How a single misbehaving client can take down your network
Well, not really your entire network but definitely DHCP. I came across a linux client that had issues with assigning an IP address using dhclient. The dhclient process would throw a null pointer exception during the phase in which it attempts to validate the assigned IP address. From here, dhclient sends a DHCPDECLINE message to the server. The DHCPDECLINE message tells the server that something is either wrong with the DHCP parameters or that the client discovered that the IP was in use (through gratuitous ARP or in this case, a failed attempt at sending a gratuitous ARP).
cat /var/log/messages :
RFC 1541 states:
“If the server receives a DHCPDECLINE message, the client has discovered through some other means that the suggested network address is already in use. The server MUST mark the network address as “not allocated” and SHOULD notify the local system administrator of a possible configuration problem.”
Looking at my Windows DHCP server console, it’s not a pretty sight. The entire pool is exhausted.
Manually deleting the BAD_ADDRESS entries fixes it for only a few seconds.
Here is the Wireshark output immediately after deletion of the BAD_ADDRESS entries:
You can see that the linux client is just going nuts. Requesting and declining all IP addresses in the pool until there is no more. The quick fix in this instance is easy enough; take the linux client off the network or kill the faulty dhclient process and assign a static IP. But how do we ensure that this won’t happen again?
Protect your Network with DHCP Snooping?
Enabling DHCP snooping on your networking gear is a great way to protect against rouge DHCP servers.
To enable DHCP snooping, follow these commands:
[S5500] interface Ethernet1/0/1
[S5500-Ethernet1/0/1] description *** DHCP server ***
[S5500-Ethernet1/0/1] dhcp-snooping trust
Sw2(config)#ip dhcp snooping
Sw2(config)#ip dhcp snooping vlan 3
Sw2(config-if)#description *** DHCP Server ***
Sw2(config-if)#switchport access vlan 3
Sw2(config-if)#ip dhcp snooping trust
When DHCP snooping is enabled, the switch will only forward DHCP DISCOVER packets out trusted ports. Also, taken from Cisco’s documentation:
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
•The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
•The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
That last bullet is something of interest to us. It is saying that it will DROP DHCPDECLINE messages!! Unfortunately it will only drop the packet if the interface information in the binding table does not match the interface that the packet came in on. This will not help our situation because it is the same client who requests the IP address that declines it. Same client, same interface.
So what can we do?
If you are running ISC DHCP Server on a linux box there’s hope for you. You can add within your dhcpd.conf file one of the following statements:
For networks that have DHCP Servers on Windows, Cisco, or 3COM? Sorry, I have not seen a way to prevent declines. There are ways to rate limit the amount of DHCP packets that come into an interface, which is a good idea, but not a fix for this problem. I believe that this could be a major problem in enterprises. One malicious user could easily wipe out all IP’s in a given DHCP pool, essentially performing a denial of service to any new clients that join the network. Bad news.
Let me know what you guys think.