Enabling dhcp-request message attack protection, Displaying and maintaining dhcp snooping – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 75

64
Enabling DHCP-REQUEST message attack
protection
Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP
clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks
up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the
DHCP snooping device compares the entry with the message information. If they are consistent, the
DHCP-REQUEST message is considered as a valid lease renewal request and forwarded to the DHCP
server. If they are not consistent, the message is considered as a forged lease renewal request and
discarded. If no corresponding entry is found, the message is considered valid and forwarded to the
DHCP server.
Follow these steps to enable DHCP-REQUEST message check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Enable DHCP-REQUEST
message check
dhcp-snooping check
request-message
Required
Disabled by default.
Displaying and maintaining DHCP snooping
To do…
Use the command…
Remarks
Display DHCP snooping entries
display dhcp-snooping [ ip ip-address ] [ |
{ begin | exclude | include } regular-expression ]
Available in any view
Display Option 82 configuration
information on the DHCP
snooping device
display dhcp-snooping information { all |
interface interface-type interface-number } [ |
{ begin | exclude | include } regular-expression ]
Available in any view
Display DHCP packet statistics on
the DHCP snooping device
display dhcp-snooping packet statistics [ slot
slot-number ] [ | { begin | exclude | include }
regular-expression ]
Available in any view
Display information about trusted
ports
display dhcp-snooping trust [ | { begin | exclude
| include } regular-expression ]
Available in any view
Display the DHCP snooping entry
file information
display dhcp-snooping binding database [ |
{ begin | exclude | include } regular-expression ] Available in any view
Clear DHCP snooping entries
reset dhcp-snooping { all | ip ip-address }
Available in user view
Clear DHCP packet statistics on
the DHCP snooping device
reset dhcp-snooping packet statistics [ slot
slot-number ]
Available in user view
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points