Enabling dhcp starvation attack protection, Enabling dhcp-request attack protection – H3C Technologies H3C S12500 Series Switches User Manual
Page 77
64
76B
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain
identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts
the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The
DHCP server might also fail to work because of exhaustion of system resources. For information about the
fields of DHCP packet, see "
721H
DHCP message format
."
Protect against starvation attacks in the following ways:
•
To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using
the mac-address max-mac-count command. For more information about the command, see Layer
2—LAN Switching Command Reference.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender
MAC address, perform this task to enable MAC address check for DHCP snooping. This function
compares the chaddr field of a received DHCP request with the source MAC address field in the
frame header. If they are the same, the request is considered valid and forwarded to the DHCP
server. If not, the request is discarded.
To enable MAC address check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type interface-number
N/A
3.
Enable MAC address check.
dhcp snooping check mac-address
By default, MAC address
check is disabled.
77B
Enabling DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and
DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST
messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no
longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the
IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate
DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries
to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature
compares the entry with the message information. If they are consistent, the message is considered as
valid and forwarded to the DHCP server. If they are different, the message is considered as a forged
message and is discarded. If no matching entry is found, the message is considered valid and forwarded
to the DHCP server.
To enable DHCP-REQUEST check: