beautypg.com

Enabling dhcp-request message attack protection, Displaying and maintaining dhcp snooping – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 75

background image

64

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks

up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the

DHCP snooping device compares the entry with the message information. If they are consistent, the

DHCP-REQUEST message is considered as a valid lease renewal request and forwarded to the DHCP
server. If they are not consistent, the message is considered as a forged lease renewal request and

discarded. If no corresponding entry is found, the message is considered valid and forwarded to the

DHCP server.
Follow these steps to enable DHCP-REQUEST message check:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter interface view

interface interface-type
interface-number

Enable DHCP-REQUEST
message check

dhcp-snooping check
request-message

Required
Disabled by default.

Displaying and maintaining DHCP snooping

To do…

Use the command…

Remarks

Display DHCP snooping entries

display dhcp-snooping [ ip ip-address ] [ |
{ begin | exclude | include } regular-expression ]

Available in any view

Display Option 82 configuration
information on the DHCP

snooping device

display dhcp-snooping information { all |
interface interface-type interface-number } [ |

{ begin | exclude | include } regular-expression ]

Available in any view

Display DHCP packet statistics on
the DHCP snooping device

display dhcp-snooping packet statistics [ slot
slot-number ] [ | { begin | exclude | include }

regular-expression ]

Available in any view

Display information about trusted
ports

display dhcp-snooping trust [ | { begin | exclude
| include } regular-expression ]

Available in any view

Display the DHCP snooping entry
file information

display dhcp-snooping binding database [ |
{ begin | exclude | include } regular-expression ] Available in any view

Clear DHCP snooping entries

reset dhcp-snooping { all | ip ip-address }

Available in user view

Clear DHCP packet statistics on
the DHCP snooping device

reset dhcp-snooping packet statistics [ slot
slot-number ]

Available in user view