[LACNIC/Seguridad] Fwd: [ipv6hackers] an interesting DHCPv6 DoS
Fernando Gont
fgont en si6networks.com
Mar Feb 4 05:38:55 BRST 2014
FYI
-------- Original Message --------
Subject: [ipv6hackers] an interesting DHCPv6 DoS
Date: Wed, 29 Jan 2014 22:42:15 +0200
From: Tassos Chatzithomaoglou <achatz en forthnet.gr>
Reply-To: IPv6 Hackers Mailing List <ipv6hackers en lists.si6networks.com>
To: ipv6hackers en lists.si6networks.com
Each DHCPv6 binding includes a different prefix due to the different
DUID, but the client is always the same.
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CB8000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CB9000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBB000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBC000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBE000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBF000000000000
...
The issue is triggered by the CPE asking for IA-NA & IA-PD, while only
IA-PD is available.
Although the DHCPv6 server answers with NOADDRS-AVAIL to the IA-NA, the
CPE thinks it is smarter and asks again for IA-NA using a new DUID...and
it continues doing so for many hours, until all its DUIDs are
exhausted...or all the DHCPv6-PD prefixes are exhausted
We have seen up to 3k bindings per hour from a single CPE!
We have informed both the CPE (TP-Link) and DHCPv6/BRAS (Cisco) vendors
of the issue and we are hoping for a solution.
As it seems, nobody at Cisco thought of giving the capability to limit
the number of bindings on a DHCPv6 server based on something different
than the DUID.
--
Tassos
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers en lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
Más información sobre la lista de distribución Seguridad