DHCP6 DoS

I'm using Sophos UTM 9.4 beta 2 at home on an Intel NUC. It hasn't been perfoming right, and I tracked it down to my new printer requesting ~60 DHCP6 addresses per second, filling up the dhcp6.leases file at a rate of about 15kbytes/second, and eventually causing performance issues when the leases file gets into the tens of megabytes, with system load >10 with confd processes (my Intel NUC isn't the most powerful unit in the world - somewhere between SG105 and SG210 in terms of memory and CPU).


So there is obviously some sort of bug in the printer where it doesn't do IPv6 very well, and I have now turned IPv6 off, but for this to bring my Sophos UTM down sounds like a significant limitation. We have a few customers with guest wireless networks and this would mean that a single bad actor could cause issues on the network, which is the sort of thing I expect the product to prevent.


DHCP is definitely not the most secure product in the world, and I understand that a single bad actor can still flood the wireless and prevent access to other users on the same network segment, but a bit of rate limiting would go a long way to preventing a single user from breaking the UTM. I tried putting some QoS rules in for DHCPv6, but it only worked in "Bandwith Pool" QoS, which is the wrong way to do it (needs to limit by sender mac address, not total traffic).


Not sure if this is just a problem in the 9.4 beta. It's all I have access to for testing. I don't think I had the problem before I moved from 9.3 to 9.4 beta, but can't quite remember exactly when I got the printer.

Parents
  • Out of curiosity, what is the printer, and what is the firmware installed?

    It could also be worth checking with the manufacture to see if this is a known issue, and if so there could be an updated firmware available?

    Also, most people set printers with static IP addresses, in the corporate world I would imagine the same to be done with printers on IPv6.

    Tim Grantham

    Enterprise Architect & Business owner

Reply
  • Out of curiosity, what is the printer, and what is the firmware installed?

    It could also be worth checking with the manufacture to see if this is a known issue, and if so there could be an updated firmware available?

    Also, most people set printers with static IP addresses, in the corporate world I would imagine the same to be done with printers on IPv6.

    Tim Grantham

    Enterprise Architect & Business owner

Children