beautypg.com

Configuring option 184 parameters for the client, Enabling dhcp starvation attack protection – H3C Technologies H3C S12500 Series Switches User Manual

Page 67

background image

54

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable periodic refresh of
dynamic relay entries.

dhcp relay client-information refresh
enable

By default, periodic refresh of
dynamic relay entries is

enabled.

3.

Configure the refresh
interval.

dhcp relay client-information refresh
[ auto | interval interval ]

By default, the refresh interval
is auto, which is calculated
based on the number of total

relay entries.

216B

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of

the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail

to work because of exhaustion of system resources. The following methods are available to relieve or
prevent such attacks.

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC

addresses that a Layer 2 port can learn. You can also configure an interface that has learned the

maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC

address table.

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay

agent compares the chaddr field of a received DHCP request with the source MAC address in the

frame header. If they are the same, the DHCP relay agent decides this request as valid and

forwards it to the DHCP server. If not, it discards the DHCP request.

A DHCP relay agent changes the source MAC address of DHCP packets before sending them out.

Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP

clients. If you enable this feature on an intermediate relay agent, the agent might discard valid DHCP

packets, which makes the clients fail to obtain IP addresses.
To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter the interface view.

interface interface-type
interface-number

N/A

3.

Enable MAC address check.

dhcp relay check mac-address

By default, MAC address check
is disabled.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: