Re: [dhcwg] DDoS and DHCP servers
Simon Hobson <linux@thehobsons.co.uk> Tue, 01 November 2016 22:18 UTC
Return-Path: <linux@thehobsons.co.uk>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB2011299E0 for <dhcwg@ietfa.amsl.com>; Tue, 1 Nov 2016 15:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9PCM0AOdwUd for <dhcwg@ietfa.amsl.com>; Tue, 1 Nov 2016 15:18:37 -0700 (PDT)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [IPv6:2001:470:1f09:baa::21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFA9412954B for <dhcwg@ietf.org>; Tue, 1 Nov 2016 15:18:21 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from simons-macbookpro.lan (magpiehouse.plus.com [80.229.10.150]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id D128C1A071 for <dhcwg@ietf.org>; Tue, 1 Nov 2016 22:18:14 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Simon Hobson <linux@thehobsons.co.uk>
In-Reply-To: <63b4ff93b18544e0aba3b2f0d1fc4f0d@XCH15-06-08.nw.nos.boeing.com>
Date: Tue, 01 Nov 2016 22:18:14 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D30C137-A4B0-4EB1-BDC1-34059E0EE88E@thehobsons.co.uk>
References: <63b4ff93b18544e0aba3b2f0d1fc4f0d@XCH15-06-08.nw.nos.boeing.com>
To: "dhcwg@ietf.org" <dhcwg@ietf.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/fS5aUqW_UsoicSHCciZLxk-Myes>
Subject: Re: [dhcwg] DDoS and DHCP servers
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 22:18:39 -0000
"Templin, Fred L" <Fred.L.Templin@boeing.com> wrote: > The Oct. 21, 2016 DDoS attack on the Internet has me wondering about the > DDoS vulnerability profile for DHCP servers (mostly interested in DHCPv6). > > Are there any mitigations that could be employed to protect DHCPv6 servers > from DDoS attacks? My feeling is that it's going to be a non-issue. I can't see many DHCP servers being exposed to the internet - other than (for example) those serving customers of an ISP. As such : - there shouldn't be many (if any) DHCP servers exposed - the traffic is easily filtered at the border (it's not a protocol you'd need to be handling inbound or outbound). - and even if some packets get through, the server they reach won't be configured to be serving arbitrary subnets. Ie, if you sent client request packets for some arbitrary public IP (to create a reflection attack on that IP), it's highly unlikely that the server will be configured to serve up that IP.
- [dhcwg] DDoS and DHCP servers Templin, Fred L
- Re: [dhcwg] DDoS and DHCP servers Simon Hobson
- Re: [dhcwg] DDoS and DHCP servers Bernie Volz (volz)
- Re: [dhcwg] DDoS and DHCP servers Simon Hobson
- Re: [dhcwg] DDoS and DHCP servers Templin, Fred L
- Re: [dhcwg] DDoS and DHCP servers Andre Kostur
- Re: [dhcwg] DDoS and DHCP servers Ted Lemon