DHCP flooded cable network!!

DHCP flooded cable network!!

Post by Ed Davi » Wed, 30 Jun 1999 04:00:00



Hi,
I have had Linux running for almost a year now using ipfwadm to connect 2
other home computers running windoze. Today the cable internet provider
called me and said they had to shut down my connection because I was
flooding the network with requests for an IP address, thousands of requests.
They said either I had a wrong DHCP  configuration (stock redhat config) or
I had been hacked. This Linux box has been just sitting there running nicely
for a long time. Has anyone heard of this, it's a Redhat 5.2 distribution.
Can't imagine being good for a year then crash. Needless to say I have put
windoze on after I was told I could be terminated as a customer if it
happened again. Any insight would be appreciated and might help someone else
avoid this.

Thanks
Ed

 
 
 

DHCP flooded cable network!!

Post by Wouter Lieftin » Thu, 01 Jul 1999 04:00:00


Whoopiee...


> Hi,
> I have had Linux running for almost a year now using ipfwadm to connect 2
> other home computers running windoze. Today the cable internet provider
> called me and said they had to shut down my connection because I was
> flooding the network with requests for an IP address, thousands of requests.
> They said either I had a wrong DHCP  configuration (stock redhat config) or
> I had been hacked. This Linux box has been just sitting there running nicely
> for a long time. Has anyone heard of this, it's a Redhat 5.2 distribution.
> Can't imagine being good for a year then crash. Needless to say I have put
> windoze on after I was told I could be terminated as a customer if it
> happened again. Any insight would be appreciated and might help someone else
> avoid this.

> Thanks
> Ed

  One question you should ask your ISP: what is the originating MAC address in
the DHCP requests? Because it might also be the Windows machines doing the DHCP
request, not the Linux box. In any case, you can try to figure that out
yourself, by using tcpdump.

If it is one of the Windows boxes, then the TCP/IP configuration on these
machines is wrong. Select Static IP addressing in the Network option of your
Configuration screen. Or use ipfwadm to set a filter on the DHCP requests.

If it is indeed your Linux box, kill the dhcpcd daemon and enable static IP
addressing on all interfaces (this is a good idea anyway).

- Wouter

 
 
 

DHCP flooded cable network!!

Post by Mark Evan » Thu, 01 Jul 1999 04:00:00



> Hi,
> I have had Linux running for almost a year now using ipfwadm to connect 2
> other home computers running windoze. Today the cable internet provider
> called me and said they had to shut down my connection because I was
> flooding the network with requests for an IP address, thousands of requests.
> They said either I had a wrong DHCP  configuration (stock redhat config) or

Ask them if *they* have changed anything associated with their DHCP
set up.

Also ask them for logs of these packets.

--
Mark Evans
St. Peter's CofE High School
Phone: +44 1392 204764 X109
Fax: +44 1392 204763

 
 
 

DHCP flooded cable network!!

Post by Hal Sadofs » Thu, 01 Jul 1999 04:00:00




>Whoopiee...

>> Hi,
>> I have had Linux running for almost a year now using ipfwadm to connect 2
>> other home computers running windoze. Today the cable internet provider
>> called me and said they had to shut down my connection because I was
>> flooding the network with requests for an IP address, thousands of requests.
>> They said either I had a wrong DHCP  configuration (stock redhat config) or
>If it is indeed your Linux box, kill the dhcpcd daemon and enable static IP
>addressing on all interfaces (this is a good idea anyway).

This is not necessarily a good idea, unless I misunderstand Wouter's
suggestion.  You can treat the address supplied to your machine by the
dhcp as static.  This will be fine for a while, but eventually the
lease will run out and the server will want to renegotiate (even if it
then resupplies the same address, which is likely).  If your machine
is configured for static IP, it won't know about renegotiating with
the server, and then the server, and eventually those who run your
ISP, will become unhappy.

        Hal Sadofsky

 
 
 

DHCP flooded cable network!!

Post by Andreas heydendae » Sun, 04 Jul 1999 04:00:00


First of all: why use DHCP anyway?.....there are only two computer
connected to the internet anyway. Makes the administration a lot easier.
And as far as your problem goes: I think it has to do with IP-forwarding
that isn't turned off. Give that one a try. And use tcpdump to see what
actually happens on your connection to the outside world. So you can
trace the culprit maker.

Good luck


Quote:> Hi,
> I have had Linux running for almost a year now using ipfwadm to connect 2
> other home computers running windoze. Today the cable internet provider
> called me and said they had to shut down my connection because I was
> flooding the network with requests for an IP address, thousands of requests.
> They said either I had a wrong DHCP  configuration (stock redhat config) or
> I had been hacked. This Linux box has been just sitting there running nicely
> for a long time. Has anyone heard of this, it's a Redhat 5.2 distribution.
> Can't imagine being good for a year then crash. Needless to say I have put
> windoze on after I was told I could be terminated as a customer if it
> happened again. Any insight would be appreciated and might help someone else
> avoid this.

> Thanks
> Ed

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Andreas Heydendael


www: http://huizen.dds.nl/~jasminus

*let's all help eachother and make this
world a place to live in in peace*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 
 
 

DHCP flooded cable network!!

Post by Ed Davi » Sun, 04 Jul 1999 04:00:00


Thank you for your replies.

There are 2 NIC cards in the linux machine, one for the cable company
connection, the other for the
home segment, a 192.168.1.x address. I could set the cable NIC to a static
IP also as they do not change it often. only twice in 1 year. They did
reorder the IP address assignment the day I supposedly caused them trouble.
I suspect that there may have been other problems as I found out people were
still having trouble getting an IP address a day after they shut me off. I
wll write them a letter asking why people were still having trouble gettting
an address 24 hours after they shut me off and see if I can get the logs.

Ed

 
 
 

DHCP flooded cable network!!

Post by Hartmann Schaff » Sun, 04 Jul 1999 04:00:00




Quote:> First of all: why use DHCP anyway?.....there are only two computer
> connected to the internet anyway. Makes the administration a lot easier.
> And as far as your problem goes: I think it has to do with IP-forwarding
> that isn't turned off. Give that one a try. And use tcpdump to see what
> actually happens on your connection to the outside world. So you can
> trace the culprit maker.

the dhcpd client daemon starts up with a broadcast (I think default is
255.255.255.255, I also suspect that it is configurable), and in this
case I suspect that this gets forwarded.  I got around this problem by
aliassing the ethernet port through which the dhcp rtequests come in, to
255.255.255.255 (so far no negative side effects).  Another possibility
is to configure either the firewall not to forward broadcast requests
out of your local system
Quote:>> Hi,
>> I have had Linux running for almost a year now using ipfwadm to connect 2
>> other home computers running windoze. Today the cable internet provider
>> called me and said they had to shut down my connection because I was
>> flooding the network with requests for an IP address, thousands of requests.
>> They said either I had a wrong DHCP  configuration (stock redhat config) or
>> I had been hacked. This Linux box has been just sitting there running nicely
>> for a long time. Has anyone heard of this, it's a Redhat 5.2 distribution.
>> Can't imagine being good for a year then crash. Needless to say I have put
>> windoze on after I was told I could be terminated as a customer if it
>> happened again. Any insight would be appreciated and might help someone else
>> avoid this.

>> Thanks
>> Ed

 
 
 

DHCP flooded cable network!!

Post by Mark Evan » Wed, 07 Jul 1999 04:00:00



> Thank you for your replies.
> There are 2 NIC cards in the linux machine, one for the cable company
> connection, the other for the
> home segment, a 192.168.1.x address. I could set the cable NIC to a static
> IP also as they do not change it often. only twice in 1 year. They did
> reorder the IP address assignment the day I supposedly caused them trouble.
> I suspect that there may have been other problems as I found out people were
> still having trouble getting an IP address a day after they shut me off. I
> wll write them a letter asking why people were still having trouble gettting
> an address 24 hours after they shut me off and see if I can get the logs.

Sounds very much as though they broke something, then blamed you.

Maybe because Windows gives up after a little while if it can't find a
DHCP server. Maybe your DHCP client keeps going, which IIRC is perfectly
in accordance with the spec.

--
Mark Evans
St. Peter's CofE High School
Phone: +44 1392 204764 X109
Fax: +44 1392 204763

 
 
 

1. Configuration of networking w/ cable modem + AT2450 & DHCP

I've just set up a LAN City Cable modem and an AT-2450 (PCI) network card.
It works great under Win95, but I'd really like to set it up under Linux.

Problem is that is uses DHCP and no DNS.  I've just got a gateway IP address,
a POP, SMTP, and NNTP server.  This setup works fine under Win95, but I'm
stumped for how to set this up under Linux.  I've read the Ethernet, NET-2,
and ISP howtos.  None of them tie together DHCP on a network card with no DNS
(just a gateway).

Any advice would be very appreciated.

Please reply via mail and I will summarize.

Adam Klein
--
Adam Klein             "A foolish consistency is the hobgoblin of little minds"

2. wanted unix/ultrix

3. Connecting to @Home Network (aka Cable Modem & DHCP)

4. "ld" on Sol2.3 linking unreferenced modules

5. pump / dhcp and RCN cable network

6. curses library access

7. Slakware 3.2 + networking (bsdlpr & sendmail) w/ DHCP cable-modem

8. ide zip drives

9. CABLE, DHCP and intermittent network

10. Cable Modem, DHCP w/ 3 Network Cards

11. DHCP: DHCPINFORM & DHCPACK floods the syslog?

12. Linking DHCP/non-DHCP computers on same network

13. DHCP Client and Sygate DHCP Server - Networking 101