[ipv6hackers] an interesting DHCPv6 DoS

Tassos Chatzithomaoglou achatz at forthnet.gr
Wed Jan 29 21:42:15 CET 2014


Each DHCPv6 binding includes a different prefix due to the different DUID, but the client is always the same.

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CB8000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CB9000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBB000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBC000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBE000000000000

Client: FE80::A16A:B735:8C29:63E9
  DUID: 000100011A782CBF000000000000

...


The issue is triggered by the CPE asking for IA-NA & IA-PD, while only IA-PD is available.
Although the DHCPv6 server answers with NOADDRS-AVAIL to the IA-NA, the CPE thinks it is smarter and asks again for IA-NA using a new DUID...and it continues doing so for many hours, until all its DUIDs are exhausted...or all the DHCPv6-PD prefixes are exhausted 

We have seen up to 3k bindings per hour from a single CPE!
We have informed both the CPE (TP-Link) and DHCPv6/BRAS (Cisco) vendors of the issue and we are hoping for a solution.
As it seems, nobody at Cisco thought of giving the capability to limit the number of bindings on a DHCPv6 server based on something different than the DUID.


--
Tassos





More information about the Ipv6hackers mailing list