Hi,
I have a hotspot, which requires login, controlled by the user manager.
However, I can observe, that many non-authorized users (bad guys ??) receive an IP adrs from the pool, which creates the danger of depleting the pool of available adrs, I guess.
Which opens the door for a DoS-attack.
I do not want to decrease the time for the leases, because that would also disconnect legal users.
Any ideas, how to automatically remove inactive MACs from the IP-pool after some time ?
They’re not bad guys. The most likely cause are simply smart phones, tablets, and laptops that attach to open SSIDs by default and then are never used by their owners. Not everything is an attack. DHCP pool starvation attacks are very quick, at a rate of at least one lease per second, often much faster.
If you’re using private IPs in the pool the simplest solution is to grow the subnet. The space is free, after all. If you’re using public IPs use a large private pool for DHCP, and the public pool on the Hotspot, and set the idle timeout relatively low.
However, I’m also puzzled by your remark that you want to keep the DHCP lease times high so you don’t disconnect “legal users”. That doesn’t make sense to me. A short DHCP lease time doesn’t mean you’re disconnecting anyone. If just means that clients still active and connect on the network renew their lease more often, but that leases for hosts no longer connected are reaped faster. The DHCP lease renewal process happens automatically after half the lease time has expired and is completely transparent to the user of the host receiving the lease.
@fewi: Thanx for clarification. Looks like the disconnects of “legal users” are the result of spurious automatic reboots of the MT-box. But that is another issue.
I reduced the lease-time to 30 sec., and it works.
Whoa. 30 seconds is a ridiculously low lease time. Try 15 or 30 minutes.