{"id":1637,"date":"2017-08-02T17:15:58","date_gmt":"2017-08-02T17:15:58","guid":{"rendered":"http:\/\/hauweele.net\/~gawen\/blog\/?p=1637"},"modified":"2017-08-02T19:48:07","modified_gmt":"2017-08-02T19:48:07","slug":"wide-dhcpv6-flood","status":"publish","type":"post","link":"https:\/\/hauweele.net\/~gawen\/blog\/?p=1637","title":{"rendered":"WIDE DHCPv6 flood"},"content":{"rendered":"<p>On FreeBSD we generally use <a href=\"http:\/\/wide-dhcpv6.sourceforge.net\">WIDE DHCPv6<\/a> (also known as KAME DHCPv6, dhcp6c or simply dhcp6) as DHCPv6 client. However a rare bug can trigger this client to flood the DHCP server with requests. This happened to us and quickly prompted <a href=\"http:\/\/online.net\">online.net<\/a> to block our server for outgoing flood. This scared me a bit at first, as I thought we might have been part of a DDoS attack. Thankfully that was not the case.<\/p>\n<p>But we still had to disable dhcp6 (and consequently IPv6). On Linux it is <a href=\"http:\/\/version6.ru\/en\/online.net-wide-dhcpv6\">generally recommended<\/a> to limit the DHCPv6 traffic using iptables rules. However this is not as simple with PF on FreeBSD. You cannot provide a limit on the packet rate per rule. You can limit the connection rate (see <code>max-src-conn-rate<\/code>), but I&#8217;m not sure this could be of any use here. It should be possible to use <a href=\"http:\/\/www.freebsd.org\/cgi\/man.cgi?query=altq&amp;sektion=4\">altq<\/a> but this is not part of the GENERIC kernel. I really didn&#8217;t want to compile a custom kernel just as a workaround.<\/p>\n<p>Instead I used another DHCPv6 client, namely <a href=\"http:\/\/www.isc.org\/downloads\/dhcp\">ISC DHCP client<\/a> (isc-dhcp43-client). Just create <code>\/usr\/local\/etc\/dhclient6.conf<\/code> and configure your DUID:<\/p>\n<pre>interface \"igb0\" {\r\n  send dhcp6.client-id &lt;DUID&gt;;\r\n}\r\n<\/pre>\n<p>On FreeBSD, isc-dhcp43-client doesn&#8217;t come with any rc starting script, so here is one for DHCPv6 (you should place it in <code>\/usr\/local\/etc\/rc.d\/dhclient6<\/code>:<\/p>\n<pre>#!\/bin\/sh\r\n#\r\n# PROVIDE: dhclient6\r\n# REQUIRE: DAEMON\r\n# KEYWORD: dhcp\r\n#\r\n# Add the following lines to \/etc\/rc.conf to enable dhclient6:\r\n#\r\n# dhclient6_enable=\"YES\"\r\n#\r\n\r\n. \/etc\/rc.subr\r\n\r\nname=\"dhclient6\"\r\ndesc=\"ISC DHCPv6 client\"\r\nrcvar=\"dhclient6_enable\"\r\n\r\nstart_cmd=\"dhclient6_start\"\r\nstop_cmd=\"dhclient6_stop\"\r\n\r\ndhclient6_start()\r\n{\r\n  \/usr\/local\/sbin\/dhclient -cf \"${dhclient6_conf}\" -P -v \"${dhclient6_iface}\"\r\n}\r\n\r\ndhclient6_stop()\r\n{\r\n  if [ -r \"${dhclient6_pid}\" ]\r\n  then\r\n    kill -- -$(cat \"${dhclient6_pid}\")\r\n    rm -f \"${dhclient6_pid}\"\r\n  fi\r\n}\r\n\r\nload_rc_config ${name}\r\n\r\n: ${dhclient6_enable=\"NO\"}\r\n: ${dhclient6_pid=\"\/var\/run\/dhclient6.pid\"}\r\n: ${dhclient6_conf=\"\/usr\/local\/etc\/dhclient6.conf\"}\r\n: ${dhclient6_iface=\"\"}\r\n\r\nrun_rc_command \"$1\"\r\n<\/pre>\n<p>Finally enable this in <code>\/etc\/rc.conf<\/code>:<\/p>\n<pre>dhclient6_iface=\"igb0\"\r\ndhclient6_enable=\"YES\"\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>On FreeBSD we generally use WIDE DHCPv6 (also known as KAME DHCPv6, dhcp6c or simply dhcp6) as DHCPv6 client. However a rare bug can trigger this client to flood the DHCP server with requests. This happened to us and quickly &hellip; <a href=\"https:\/\/hauweele.net\/~gawen\/blog\/?p=1637\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[877,876,875,86,389,878,879,874],"class_list":["post-1637","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-dhcp6","tag-dhcp6c","tag-dhcpv6","tag-flood","tag-freebsd","tag-packet-filter","tag-pf","tag-wide"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1637"}],"version-history":[{"count":0,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1637\/revisions"}],"wp:attachment":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1637"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}