Enabling Dhcp Starvation Attack Protection; Enabling Dhcp-Request Message Attack Protection - HP 3600 v2 Series Configuration Manual

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources. You can protect against starvation attacks in the
following ways:
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
•
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
•
MAC address, enable MAC address check on the DHCP snooping device. With this function
enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with
the source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server. If not, the request is discarded.
Enable MAC address check only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.
To enable MAC address check:
Step
1. Enter system view.
2. Enter interface view.
3. Enable MAC address check.
Enabling DHCP-REQUEST message attack
protection
Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP
clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks
up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the
DHCP snooping device compares the entry with the message information. If they are consistent, the
DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server.
If they are not consistent, the message is considered a forged lease renewal request and discarded. If no
corresponding entry is found, the message is considered valid and forwarded to the DHCP server.
Enable DHCP-REQUEST message check only on Layer 2 Ethernet interfaces, and Layer 2 aggregate
interfaces.
To enable DHCP-REQUEST message check:
Step
1. Enter system view.
2. Enter interface view.
Command
system-view
interface interface-type
interface-number
dhcp-snooping check mac-address
Command
system-view
interface interface-type interface-number
81
Remarks
N/A
N/A
Disabled by default
Remarks
N/A
N/A