[LAC-TF] Fwd: [ipv6hackers] an interesting DHCPv6 DoS

Fernando Gont fgont at si6networks.com
Tue Feb 4 05:38:55 BRST 2014


-------- Original Message --------
Subject: [ipv6hackers] an interesting DHCPv6 DoS
Date: Wed, 29 Jan 2014 22:42:15 +0200
From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
Reply-To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>
To: ipv6hackers at lists.si6networks.com

Each DHCPv6 binding includes a different prefix due to the different
DUID, but the client is always the same.

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CB8000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CB9000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBB000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBC000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBE000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBF000000000000


The issue is triggered by the CPE asking for IA-NA & IA-PD, while only
IA-PD is available.
Although the DHCPv6 server answers with NOADDRS-AVAIL to the IA-NA, the
CPE thinks it is smarter and asks again for IA-NA using a new DUID...and
it continues doing so for many hours, until all its DUIDs are
exhausted...or all the DHCPv6-PD prefixes are exhausted

We have seen up to 3k bindings per hour from a single CPE!
We have informed both the CPE (TP-Link) and DHCPv6/BRAS (Cisco) vendors
of the issue and we are hoping for a solution.
As it seems, nobody at Cisco thought of giving the capability to limit
the number of bindings on a DHCPv6 server based on something different
than the DUID.


Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com

More information about the LACTF mailing list