On Tue, Feb 18, 2003 at 01:41:12PM +0000, Ian Watkinson wrote: > We've recently found a problem with dhclient that can DoS a DHCP > server. If you have schg flags set on /etc/resolv.conf to stop dhcp > overwriting your existing nameservers, the problem occurs. > > Basically, the client just keeps rejecting the IP details it has > received from the server and requesting another. The server marks the > record as used, and moves onto the next one. Over the course of a couple > of minutes, you can pretty much mark an entire class C as in use. > > If you remove the schg flag from resolv.conf, this problem does not > happen.
While this is of course very bad, you do know about the 'supersede'
command in dhclient.conf to override any DHCP-supplied values?
Something like
interface "fxp0" {
supersede domain-name-servers 127.0.0.1;
}
should work.
That should at least solve the 'overwriting /etc/resolv.conf' problem.
man dhclient.conf for details.
--Stijn
--
Fairy tales do not tell children that dragons exist. Children already
know dragons exist. Fairy tales tell children the dragons can be
killed.
-- G.K. Chesterton
msg39995/pgp00000.pgp
Description: PGP signature
