Enabling unauthorized dhcp servers detection, Enabling dhcp starvation attack protection – H3C Technologies H3C SecPath F1000-E User Manual

6

With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP

relay interface to periodically send a DHCP-REQUEST message to the DHCP server.

•

If the server returns a DHCP-ACK message or does not return any message within a specified
interval, which means the IP address is assignable now, the DHCP relay agent will age out the client

entry with this IP address.

•

If the server returns a DHCP-NAK message, which means the IP address is still in use, the relay

agent will not age it out.

Follow these steps to configure periodic refresh of dynamic client entries:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable periodic refresh of
dynamic client entries

dhcp relay security refresh
enable

Optional
Enabled by default.

Configure the refresh interval

dhcp relay security tracker
{ interval | auto }

Optional
auto by default. (auto interval is calculated
by the relay agent according to the number

of client entries.)

Enabling Unauthorized DHCP Servers Detection

There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will record the IP

address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface.

The administrator can use this information to check out any DHCP unauthorized servers.
Follow these steps to enable unauthorized DHCP server detection:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable unauthorized DHCP server
detection

dhcp relay server-detect

Required
Disabled by default.

NOTE:

With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP
server. The administrator needs to find unauthorized DHCP servers from the log information. After the

information of recorded DHCP servers is cleared, the relay agent will re-record server information
following this mechanism.

Enabling DHCP Starvation Attack Protection

A DHCP starvation attack occurs when an attacker constantly forges DHCP requests with different MAC

addresses in the chaddr field to apply for IP addresses from a DHCP server. The IP address resources of

the DHCP server are exhausted so that DHCP clients cannot obtain IP addresses. The DHCP server may

also fail to work normally because of exhaustion of system resources.
You can limit the number of ARP entries that a Layer 3 interface can learn or MAC addresses that a Layer

2 port can learn so that the number of IP addresses that an attacker can obtain is restricted. This method