Enabling dhcp starvation attack protection – H3C Technologies H3C S10500 Series Switches User Manual
Page 87
76
Follow these steps to configure DHCP snooping entries backup
To do…
Use the command…
Remarks
Enter system view
system-view
—
Specify the name of the file for
storing DHCP snooping entries
dhcp-snooping binding
database filename filename
Required
Not specified by default.
DHCP snooping entries are stored
immediately after this command is
used and then updated at the
interval set by the dhcp-snooping
binding database update interval
command.
Back up DHCP snooping entries to
the file
dhcp-snooping binding
database update now
Optional
DHCP snooping entries will be
stored to the file each time this
command is used.
Set the interval at which the DHCP
snooping entry file is refreshed
dhcp-snooping binding
database update interval
minutes
Optional
By default, the file is not refreshed
periodically.
NOTE:
•
After DHCP snooping is disabled with the undo dhcp-snooping command, the device will delete all
DHCP snooping entries, including those stored in the file.
•
If you specify a subdirectory in the name of the file that stores DHCP snooping entries, make sure that the
subdirectory is available on each MPU. Otherwise, the system will fail to create the file on MPUs without
the specified subdirectory. To solve this problem, cancel the current configuration and specify a new
subdirectory in the file name.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources. You can protect against starvation attacks in the
following ways:
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP snooping device. With this function
enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with
the source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server; if not, the request is discarded.
Follow these steps to enable MAC address check:
To do…
Use the command…
Remarks
Enter system view
system-view —