[Dnsmasq-discuss] DHCP Denial-of-Service
Luca Landi
me at lucalandi.com
Sun Jul 17 12:03:13 BST 2005
Hello Simon,
You know the 3 seconds wait for a pong (ping reply) during which dnsmasq
remains deaf to other DHCP requests? according to your comments around the
icmp_ping() function in dnsmasq.c it seems to be sort of "deliberate known
problem" and considering that it can lead to denial of service I was
wondering what the rationale has been behind your decision to leave dnsmasq
deliberately deaf to DHCP during those 3 seconds.
In case you can't see how that can lead to DoS I'm going to describe the
scenario: a malicious DHCP client could exploit that dnsmasq's behavior by
just sending continuous (apparently legitimate) discovery requests which
make dnsmasq always compute the same IP address for which, of course, no
host responds to pings; this way the socket's receive buffer of UDP port 68
gets filled by those discovery requests because dnsmasq serves them at the
slow rate of one every 3 seconds and when other legitimate requests arrive
they just enter that very long queue and end up being served really too
late, thus leading to the overall DoS. Actually there's not even need for a
real flood of requests: all the malicious client needs to do to make that
happen sooner or later is to send just one request every 1 or 2 seconds;
this was my actual case due to a VoIP phone with buggy firmware which just
ignores dnsmasq's offers and keeps sending discovery requests.
Thank you, cheers,
Luca
More information about the Dnsmasq-discuss
mailing list