Preventing The Dos Attack By Changing The Chaddr Field; Establishing The Configuration Task; Enabling Dhcp Snooping - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
3.4 Preventing the DoS Attack by Changing the CHADDR
Field
This section describes how to prevent the attackers from attacking the DHCP server by
modifying the CHADDR.

3.4.1 Establishing the Configuration Task

Establishing the Configuration Task of Preventing the DoS Attack by Changing the CHADDR
Field.
Applicable Environment
The attacker may change the client hardware address (CHADDR) carried in DHCP messages
instead of the source MAC address in the frame header to apply for IP addresses continuously.
The S3700, however, only checks the validity of packets based on the source MAC address in
the frame header. The attack packets can still be forwarded normally. The MAC address limit
cannot take effect in this manner.
To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping
on the S3700 to check the CHADDR field carried in DHCP Request messages. If the CHADDR
field matches the source MAC address in the frame header, the message is forwarded. Otherwise,
the message is discarded.
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No.
1

3.4.2 Enabling DHCP Snooping

After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN.
Otherwise, DHCP snooping does not take effect.
Context
To enable DHCP snooping, you need to comply with the following sequence:
l
Issue 01 (2011-07-15)
Configuring the DHCP server
Enable DHCP globally.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
Data
Type and number of the interface enabled
with the check function
96