BAD_ADDRESS FLOOD IN WINDOWS DHCP SERVER

How a single misbehaving client can take down your network

Well, not really your entire network but definitely DHCP. I came across a linux client that had issues with assigning an IP address using dhclient. The dhclient process would throw a null pointer exception during the phase in which it attempts to validate the assigned IP address. From here, dhclient sends a DHCPDECLINE message to the server. The DHCPDECLINE message tells the server that something is either wrong with the DHCP parameters or that the client discovered that the IP was in use (through gratuitous ARP or in this case, a failed attempt at sending a gratuitous ARP).
cat /var/log/messages :
dhclient-null pointer
RFC 1541 states:
“If the server receives a DHCPDECLINE message, the client has discovered through some other means that the suggested network address is already in use. The server MUST mark the network address as “not allocated” and SHOULD notify the local system administrator of a possible configuration problem.”
Looking at my Windows DHCP server console, it’s not a pretty sight. The entire pool is exhausted.
bad_address
Manually deleting the BAD_ADDRESS entries fixes it for only a few seconds.
Here is the Wireshark output immediately after deletion of the BAD_ADDRESS entries:
server-dhcp-decline
You can see that the linux client is just going nuts. Requesting and declining all IP addresses in the pool until there is no more. The quick fix in this instance is easy enough; take the linux client off the network or kill the faulty dhclient process and assign a static IP. But how do we ensure that this won’t happen again?

Protect your Network with DHCP Snooping?

Enabling DHCP snooping on your networking gear is a great way to protect against rouge DHCP servers.
To enable DHCP snooping, follow these commands:
3COM switches:
<S5500> system-view
[S5500] dhcp-snooping
[S5500] interface Ethernet1/0/1
[S5500-Ethernet1/0/1] description *** DHCP server ***
[S5500-Ethernet1/0/1] dhcp-snooping trust
Cisco switches:
Sw2>enable
Sw2#conf t
Sw2(config)#ip dhcp snooping
Sw2(config)#ip dhcp snooping vlan 3
Sw2(config)#int f0/24
Sw2(config-if)#description *** DHCP Server ***
Sw2(config-if)#switchport access vlan 3
Sw2(config-if)#ip dhcp snooping trust
When DHCP snooping is enabled, the switch will only forward DHCP DISCOVER packets out trusted ports. Also, taken from Cisco’s documentation:

Comments

Post a Comment

Popular posts from this blog

Siem architecture

What is SIEM?   Security Information and Event Management solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM   (security event management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. The objective: To help companies respond to attacks faster and organize mountains of log data. Security Information and Event Management (SIEM) technologies take part in a crucial role in addressing the compliance, efficiency, and security needs of an enterprise. The central part of SIEM technologies is the ability to collect security data from all the critical assets on a network and present that data as actionable information via a single interface. SIEM solutions come as software, appliances, or managed services. Increasingly, SIEM solutions are being used to log security data and generate reports for compliance purposes.     SIEM Solution    SIEM intelligenc
Read more

Cannot add VMFS datastore to ESXi host

Cannot add VMFS datastore to ESXi host March 15, 2017   Amit Arora   ESX5.x ISSUE “ Keep existing signature ” and “ Assign a new signature ” is grayed  out and only option is “ Format the disk ” is available while adding a VMFS Datastore to ESXi host in Cluster. CAUSE This issue is related to Non-Persistent Mount Volume between hosts in Cluster. SOLUTION First find the volume which are Non-Persistent by running below command on ESXi Host. #esxcfg-volume -l By running this you can find the volumes and names. To persistently mount the volume use, “esxcfg-volume -M” followed by either the UUID or the name of the volume #esxcfg-volume -M TEMPDATASTORE After running above commands then rescan storage on hosts and you will see the datastore listed.
Read more