[ipv6hackers] an interesting DHCPv6 DoS
Tassos Chatzithomaoglou
achatz at forthnet.gr
Wed Jan 29 21:42:15 CET 2014
Each DHCPv6 binding includes a different prefix due to the different DUID, but the client is always the same.
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CB8000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CB9000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBB000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBC000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBE000000000000
Client: FE80::A16A:B735:8C29:63E9
DUID: 000100011A782CBF000000000000
...
The issue is triggered by the CPE asking for IA-NA & IA-PD, while only IA-PD is available.
Although the DHCPv6 server answers with NOADDRS-AVAIL to the IA-NA, the CPE thinks it is smarter and asks again for IA-NA using a new DUID...and it continues doing so for many hours, until all its DUIDs are exhausted...or all the DHCPv6-PD prefixes are exhausted
We have seen up to 3k bindings per hour from a single CPE!
We have informed both the CPE (TP-Link) and DHCPv6/BRAS (Cisco) vendors of the issue and we are hoping for a solution.
As it seems, nobody at Cisco thought of giving the capability to limit the number of bindings on a DHCPv6 server based on something different than the DUID.
--
Tassos
More information about the Ipv6hackers
mailing list