Enabling dhcp starvation attack protection, Specifying a server for the dhcp client, Configuring option 184 parameters for the client – H3C Technologies H3C S12500-X Series Switches User Manual
Page 66
55
Step Command
Remarks
2.
Enable periodic refresh of
dynamic relay entries.
dhcp relay client-information refresh
enable
By default, periodic refresh of
dynamic relay entries is
enabled.
3.
Configure the refresh
interval.
dhcp relay client-information refresh
[ auto | interval interval ]
By default, the refresh interval
is auto, which is calculated
based on the number of total
relay entries.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. The following methods are available to relieve or
prevent such attacks.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay
agent compares the chaddr field of a received DHCP request with the source MAC address in the
frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server.
If not, the relay agent discards the request.
Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A
DHCP relay agent changes the source MAC address of DHCP packets before sending them. If you
enable this feature on an intermediate relay agent, it might discard valid DHCP packets, and the sending
clients will not obtain IP addresses.
A MAC address check entry has an aging time. When the aging time expires, the entry ages out, and
the DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.
To enable MAC address check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Configure the aging time for
MAC address check entries.
dhcp relay check mac-address
aging-time time
The default aging time is 300
seconds.
This command takes effect only
after you execute the dhcp relay
check mac-address command.
3.
Enter the interface view.
interface interface-type
interface-number
N/A
4.
Enable MAC address check.
dhcp relay check mac-address
By default, MAC address check
is disabled.