Enabling dhcp starvation attack protection, Enabling dhcp-request message attack protection – H3C Technologies H3C S12500 Series Switches User Manual
Page 95
81
Step Command
Remarks
3.
Back up DHCP snooping
entries to the file.
dhcp-snooping binding
database update now
Optional.
DHCP snooping entries will be
stored to the file each time this
command is used.
4.
Set the interval at which the
DHCP snooping entry file is
refreshed.
dhcp-snooping binding
database update interval
minutes
Optional.
By default, the file is not refreshed
periodically.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP snooping device. With this function
enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with
the source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server. If not, the request is discarded.
To enable MAC address check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type interface-number
N/A
3.
Enable MAC address check.
dhcp-snooping check mac-address
Disabled by default.
Enabling DHCP-request message attack protection
Attackers can forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients
that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the
leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks
up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the
DHCP snooping device compares the entry with the message information. If they are consistent, the
DHCP-REQUEST message is considered as a valid lease renewal request and forwarded to the DHCP
server. If they are not consistent, the message is considered as a forged lease renewal request and
discarded. If no corresponding entry is found, the message is considered valid and forwarded to the
DHCP server.
To enable DHCP-REQUEST message check: