Enabling dhcp starvation attack protection – H3C Technologies H3C S5560 Series Switches User Manual

Page 89

Advertising
background image

74

Step Command

Remarks

3.

(Optional.) Manually save
DHCP snooping entries to the

backup file.

dhcp snooping binding database
update now

N/A

4.

(Optional.) Set the waiting
time after a DHCP snooping

entry change for the DHCP

snooping device to update the
backup file.

dhcp snooping binding database

update interval seconds

The default waiting time is 300
seconds.
When a DHCP snooping entry is
learned, updated, or removed, the

waiting period starts. The DHCP

snooping device updates the backup

file when the specified waiting
period is reached. All changed

entries during the period will be

saved to the backup file.
If no DHCP snooping entry changes,
the backup file is not updated.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain

identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts
the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The

DHCP server might also fail to work because of exhaustion of system resources. For information about the

fields of DHCP packet, see "

DHCP message format

."

Protect against starvation attacks in the following ways:

To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using

the mac-address max-mac-count command. For more information about the command, see Layer

2—LAN Switching Command Reference.

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender
MAC address, perform this task to enable MAC address check for DHCP snooping. This function

compares the chaddr field of a received DHCP request with the source MAC address field in the
frame header. If they are the same, the request is considered valid and forwarded to the DHCP

server. If not, the request is discarded.

To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type interface-number

N/A

3.

Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address
check is disabled.

Advertising
This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: