Preventing The Attacker From Sending Bogus Dhcp Messages For Extending Ip Address Leases; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual
Terabit routing switch
Hide thumbs
Also See for Quidway S9300:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
l
----End
3.5 Preventing the Attacker from Sending Bogus DHCP
Messages for Extending IP Address Leases
This section describes how to prevent the attackers from attacking the DHCP server by forging
the DHCP messages for extending IP address leases.
3.5.1 Establishing the Configuration Task
3.5.2 Enabling DHCP Snooping
3.5.3 Enabling the Checking of DHCP Request Messages
3.5.4 (Optional) Configuring the Option 82 Function
3.5.5 Checking the Configuration
3.5.1 Establishing the Configuration Task
Applicable Environment
The attacker pretends to be a valid user and continuously sends DHCP Request messages
intending to extend the IP address lease. As a result, certain expired IP addresses cannot be
reused.
To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you
can create the DHCP snooping binding table on the S9300 to check DHCP Request messages.
If the source IP address, source MAC address, VLAN, and interface of the DHCP Request
messages match entries in the binding table, the DHCP Request messages are then forwarded.
Otherwise, the DHCP Request messages are discarded.
The S9300 checks DHCP Request messages as follows:
1.
2.
Issue 06 (2010–01–08)
Run the display dhcp snooping interface interface-type interface-number command to
check information about DHCP snooping on the interface.
NOTE
IP addresses are classified in to IPv4 addresses and IPv6 addresses. The S9300 checks the source IP
addresses of DHCP Request messages, including IPv4 addresses and IPv6 addresses.
Checks whether the destination MAC address is all-f. If the destination MAC address is
all-f, the S9300 considers that the DHCP Request message is a broadcast message that a
user sends to goes online for the first time and does not check the DHCP Request message
against the binding table. Otherwise, the S9300 considers that the user sends the DHCP
Request message is renew lease of the IP address and checks the DHCP Request message
against the binding table.
Checks whether the CIADDR field in the DHCP Request message matches an entry in the
binding table. If not, the S9300 forwards the message directly. If yes, the S9300 checks
whether the VLAN ID, IP address, and interface information of the message match the
binding table. If all these fields match the binding table, the S9300 forwards the message;
otherwise, the S9300 discards the message.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
3-13
Advertisement
Chapters
Table of Contents
