Enabling Dhcp Starvation Attack Protection - HPE FlexNetwork 10500 Series Configuration Manual
Layer 3-ip services
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Security configuration manual (702 pages) ,
- Network management and monitoring command reference (423 pages)
Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Configure the DHCP
snooping device to back up
DHCP snooping entries to a
file.
3.
(Optional.) Manually save
DHCP snooping entries to
the backup file.
4.
(Optional.) Set the waiting
time after a DHCP snooping
entry change for the DHCP
snooping device to update
the backup file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that
contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This
attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot
obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system
resources. For information about the fields of DHCP packet, see
You can prevent DHCP starvation attacks in the following ways:
•
If the forged DHCP requests contain different sender MAC addresses, use the mac-address
max-mac-count command to limit the number of MAC addresses that a Layer 2 port can learn.
For more information about the command, see Layer 2—LAN Switching Command Reference.
•
If the forged DHCP requests contain the same sender MAC address, perform this task to
enable MAC address check for DHCP snooping. This feature compares the chaddr field of a
received DHCP request with the source MAC address field in the frame header. If they are the
same, the request is considered valid and forwarded to the DHCP server. If not, the request is
discarded.
To enable MAC address check:
Step
1.
Enter system view.
2.
Enter interface view.
Command
system-view
dhcp snooping binding
database filename { filename |
url url [ username username
[ password { cipher | simple }
string ] ] }
dhcp snooping binding
database update now
dhcp snooping binding
database update interval
interval
Command
system-view
interface interface-type
interface-number
97
Remarks
N/A
By default, the DHCP snooping
device does not back up DHCP
snooping entries.
With this command executed, the
DHCP snooping device backs up
DHCP snooping entries
immediately and runs auto backup.
This command automatically
creates the file if you specify a
non-existent file.
N/A
The default waiting time is 300
seconds.
When a DHCP snooping entry is
learned, updated, or removed, the
waiting period starts. The DHCP
snooping device updates the
backup file when the specified
waiting period is reached. All
changed entries during the period
will be saved to the backup file.
If no DHCP snooping entry
changes, the backup file is not
updated.
"DHCP message
format."
Remarks
N/A
N/A
Advertisement
Table of Contents
Troubleshooting
