Enabling dhcp starvation attack protection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 74
63
To do…
Use the command…
Remarks
Back up DHCP snooping entries to
the file
dhcp-snooping binding
database update now
Optional
DHCP snooping entries will be
stored to the file each time this
command is used.
Set the interval at which the DHCP
snooping entry file is refreshed
dhcp-snooping binding
database update interval
minutes
Optional
By default, the file is not refreshed
periodically.
NOTE:
After DHCP snooping is disabled with the undo dhcp-snooping command, the device will delete all DHCP
snooping entries, including those stored in the file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP snooping device. With this function
enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with
the source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server; if not, the request is discarded.
Follow these steps to enable MAC address check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Enable MAC address check
dhcp-snooping check mac-address
Required
Disabled by default.
NOTE:
You can enable MAC address check only on Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces,
WLAN-ESS interfaces, and WLAN-BSS interfaces.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points