beautypg.com

Enabling dhcp starvation attack protection – H3C Technologies H3C S5560 Series Switches User Manual

Page 73

background image

58

To enable periodic refresh of dynamic relay entries:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable periodic refresh of

dynamic relay entries.

dhcp relay client-information refresh
enable

By default, periodic refresh of
dynamic relay entries is
enabled.

3.

Set the refresh interval.

dhcp relay client-information refresh
[ auto | interval interval ]

By default, the refresh interval
is auto, which is calculated
based on the number of total

relay entries.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of

the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. The following methods are available to relieve or

prevent such attacks.

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can use one of the following methods:

{

Limit the number of ARP entries that a Layer 3 interface can learn.

{

Limit the number of MAC addresses that a Layer 2 port can learn.

{

Configure an interface that has learned the maximum MAC addresses to discard packets
whose source MAC addresses are not in the MAC address table.

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay

agent compares the chaddr field of a received DHCP request with the source MAC address in the
frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server.

If not, the relay agent discards the request.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A

DHCP relay agent changes the source MAC address of DHCP packets before sending them. If you
enable this feature on an intermediate relay agent, it might discard valid DHCP packets. Then the

sending clients will not obtain IP addresses.
A MAC address check entry has an aging time. When the aging time expires, both of the following

occur:

The entry ages out.

The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the
entry.

To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: