Enabling dhcp starvation attack protection, Enabling dhcp-request attack protection – H3C Technologies H3C S12500 Series Switches User Manual

64

76B

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain
identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts

the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The

DHCP server might also fail to work because of exhaustion of system resources. For information about the

fields of DHCP packet, see "

721H

DHCP message format

."

Protect against starvation attacks in the following ways:

•

To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using

the mac-address max-mac-count command. For more information about the command, see Layer

2—LAN Switching Command Reference.

•

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender

MAC address, perform this task to enable MAC address check for DHCP snooping. This function
compares the chaddr field of a received DHCP request with the source MAC address field in the

frame header. If they are the same, the request is considered valid and forwarded to the DHCP

server. If not, the request is discarded.

To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type interface-number

N/A

3.

Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address
check is disabled.

77B

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and

DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST

messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no

longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the

IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate
DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries

to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature

compares the entry with the message information. If they are consistent, the message is considered as
valid and forwarded to the DHCP server. If they are different, the message is considered as a forged

message and is discarded. If no matching entry is found, the message is considered valid and forwarded

to the DHCP server.
To enable DHCP-REQUEST check: