BAD_ADDRESS FLOOD IN WINDOWS DHCP SERVER
How a single misbehaving client can take down your network
Well, not really your entire network but definitely DHCP. I came across a linux client that had issues with assigning an IP address using dhclient. The dhclient process would throw a null pointer exception during the phase in which it attempts to validate the assigned IP address. From here, dhclient sends a DHCPDECLINE message to the server. The DHCPDECLINE message tells the server that something is either wrong with the DHCP parameters or that the client discovered that the IP was in use (through gratuitous ARP or in this case, a failed attempt at sending a gratuitous ARP).
cat /var/log/messages :
RFC 1541 states:
“If the server receives a DHCPDECLINE message, the client has discovered through some other means that the suggested network address is already in use. The server MUST mark the network address as “not allocated” and SHOULD notify the local system administrator of a possible configuration problem.”
Looking at my Windows DHCP server console, it’s not a pretty sight. The entire pool is exhausted.
Manually deleting the BAD_ADDRESS entries fixes it for only a few seconds.
Here is the Wireshark output immediately after deletion of the BAD_ADDRESS entries:
You can see that the linux client is just going nuts. Requesting and declining all IP addresses in the pool until there is no more. The quick fix in this instance is easy enough; take the linux client off the network or kill the faulty dhclient process and assign a static IP. But how do we ensure that this won’t happen again?
Protect your Network with DHCP Snooping?
Enabling DHCP snooping on your networking gear is a great way to protect against rouge DHCP servers.
To enable DHCP snooping, follow these commands:
3COM switches:
<S5500> system-view
[S5500] dhcp-snooping
[S5500] interface Ethernet1/0/1
[S5500-Ethernet1/0/1] description *** DHCP server ***
[S5500-Ethernet1/0/1] dhcp-snooping trust
[S5500] dhcp-snooping
[S5500] interface Ethernet1/0/1
[S5500-Ethernet1/0/1] description *** DHCP server ***
[S5500-Ethernet1/0/1] dhcp-snooping trust
Cisco switches:
Sw2>enable
Sw2#conf t
Sw2(config)#ip dhcp snooping
Sw2(config)#ip dhcp snooping vlan 3
Sw2(config)#int f0/24
Sw2(config-if)#description *** DHCP Server ***
Sw2(config-if)#switchport access vlan 3
Sw2(config-if)#ip dhcp snooping trust
Sw2#conf t
Sw2(config)#ip dhcp snooping
Sw2(config)#ip dhcp snooping vlan 3
Sw2(config)#int f0/24
Sw2(config-if)#description *** DHCP Server ***
Sw2(config-if)#switchport access vlan 3
Sw2(config-if)#ip dhcp snooping trust
When DHCP snooping is enabled, the switch will only forward DHCP DISCOVER packets out trusted ports. Also, taken from Cisco’s documentation:
Comments
Post a Comment