Enabling Dhcp Starvation Attack Protection; Enabling Dhcp-Request Message Attack Protection - HP 830 Series Configuration Manual

Poe+ unified wired-wlan switch switching engine

Hide thumbs Also See for 830 Series:

Configuration manual (530 pages)

Command reference manual (136 pages)

Installation manual (58 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

Table of Contents

Step

Back up DHCP snooping entries to

the file.

Set the interval at which the DHCP

snooping entry file is refreshed.

After DHCP snooping is disabled with the undo dhcp-snooping command, the device deletes all DHCP

snooping entries, including those stored in the file.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of

the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail

to work because of exhaustion of system resources. You can protect against starvation attacks in the

following ways:

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source

•

MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.

•

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source

MAC address, you can enable MAC address check on the DHCP snooping device. With this

function enabled, the DHCP snooping device compares the chaddr field of a received DHCP

request with the source MAC address field of the frame. If they are the same, the request is

considered valid and forwarded to the DHCP server. If not, the request is discarded.

To enable MAC address check:

Step

Enter system view.

Enter interface view.

Enable MAC address check.

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

Command

dhcp-snooping binding

database update now

dhcp-snooping binding

database update interval

minutes

Command

system-view

interface interface-type

interface-number

dhcp-snooping check

mac-address

Remarks

Optional.

DHCP snooping entries are stored to

the file each time this command is

used.

Optional.

By default, the file is not refreshed

periodically.

Remarks

N/A

Disabled by default.

You can enable MAC address check

only on Layer 2 Ethernet interfaces

and Layer 2 aggregate interfaces.

Table of Contents

Enabling Dhcp Starvation Attack Protection; Enabling Dhcp-Request Message Attack Protection - HP 830 Series Configuration Manual

Enabling DHCP starvation attack protection

Troubleshooting

Related Manuals for HP 830 Series

Related Content for HP 830 Series

Table of Contents