Enabling Dhcp Starvation Attack Protection - HP FlexNetwork MSR2003 Configuration Manual
Flexnetwork msr router series
Hide thumbs
Also See for FlexNetwork MSR2003:
- Configuration manual (350 pages) ,
- Command reference manual (471 pages) ,
- Manual (73 pages)
Table of Contents
Advertisement
•
If the server returns a DHCP-ACK message or does not return any message within an interval,
the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK
message, the relay agent sends a DHCP-RELEASE message to release the IP address.
•
If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.
To enable periodic refresh of dynamic relay entries:
Step
1.
Enter system view.
2.
Enable periodic refresh of
dynamic relay entries.
3.
Set the refresh interval.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. The following methods are
available to relieve or prevent such attacks.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, you can use one of the following methods:
Limit the number of ARP entries that a Layer 3 interface can learn.
Limit the number of MAC addresses that a Layer 2 port can learn.
Configure an interface that has learned the maximum MAC addresses to discard packets
whose source MAC addresses are not in the MAC address table.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same
source MAC address, you can enable MAC address check on the DHCP relay agent. The
DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC
address in the frame header. If they are the same, the DHCP relay agent forwards the request
to the DHCP server. If not, the relay agent discards the request.
Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A
DHCP relay agent changes the source MAC address of DHCP packets before sending them. If you
enable this feature on an intermediate relay agent, it might discard valid DHCP packets. Then the
sending clients will not obtain IP addresses.
A MAC address check entry has an aging time. When the aging time expires, both of the following
occur:
•
The entry ages out.
•
The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in
the entry.
To enable MAC address check:
Step
1.
Enter system view.
Command
system-view
dhcp relay client-information refresh
enable
dhcp relay client-information refresh
[ auto | interval interval ]
Command
system-view
70
Remarks
N/A
By default, periodic refresh
of dynamic relay entries is
enabled.
By default, the refresh
interval is auto, which is
calculated based on the
number of total relay entries.
Remarks
N/A
- Quick Links:
- Configuring Ip Addressing
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
