Enabling Dhcp Starvation Attack Protection - HP FlexNetwork MSR2003 Configuration Manual
Flexnetwork msr router series
Hide thumbs
Also See for FlexNetwork MSR2003:
- Configuration manual (350 pages) ,
- Command reference manual (471 pages) ,
- Manual (73 pages)
Table of Contents
Advertisement
Step
2.
Configure the DHCP
snooping device to back up
DHCP snooping entries to a
file.
3.
(Optional.) Manually save
DHCP snooping entries to
the backup file.
4.
(Optional.) Set the waiting
time after a DHCP snooping
entry change for the DHCP
snooping device to update
the backup file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that
contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This
attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot
obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system
resources. For information about the fields of DHCP packet, see
You can prevent DHCP starvation attacks in the following ways:
•
If the forged DHCP requests contain different sender MAC addresses, use the mac-address
max-mac-count command to limit the number of MAC addresses that a Layer 2 port can learn.
For more information about the command, see Layer 2—LAN Switching Command Reference.
•
If the forged DHCP requests contain the same sender MAC address, perform this task to
enable MAC address check for DHCP snooping. This function compares the chaddr field of a
received DHCP request with the source MAC address field in the frame header. If they are the
same, the request is considered valid and forwarded to the DHCP server. If not, the request is
discarded.
To enable MAC address check:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable MAC address check.
Command
dhcp snooping
binding database
filename { filename |
url url [ username
username
[ password { cipher |
simple } key ] ] }
dhcp snooping
binding database
update now
dhcp snooping
binding database
update interval
seconds
Command
system-view
interface interface-type
interface-number
dhcp snooping check mac-address
88
Remarks
By default, the DHCP snooping device does
not back up DHCP snooping entries.
With this command executed, the DHCP
snooping device backs up DHCP snooping
entries immediately and runs auto backup.
This command automatically creates the file if
you specify a non-existent file.
N/A
The default waiting time is 300 seconds.
When a DHCP snooping entry is learned,
updated, or removed, the waiting period
starts. The DHCP snooping device updates
the backup file when the specified waiting
period is reached. All changed entries during
the period will be saved to the backup file.
If no DHCP snooping entry changes, the
backup file is not updated.
"DHCP message
Remarks
N/A
N/A
By default, MAC address
check is disabled.
format."
- Quick Links:
- Configuring Ip Addressing
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
