Preventing The Dos Attack By Changing The Chaddr Field; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

2 DHCP Snooping Configuration
[Quidway] display this
#
sysname Quidway
#
dhcp snooping enable
#
dhcp server detect
#
2.4 Preventing the DoS Attack by Changing the CHADDR
Field
This section describes how to prevent the attackers from attacking the DHCP server by
modifying the CHADDR.

2.4.1 Establishing the Configuration Task

2.4.2 Enabling DHCP Snooping
2.4.3 Checking the CHADDR Field in DHCP Request Messages
2.4.4 Checking the Configuration
2.4.1 Establishing the Configuration Task
Applicable Environment
The attacker may change the client hardware address (CHADDR) carried in DHCP messages
instead of the source MAC address in the frame header to apply for IP addresses continuously.
The S9300, however, only checks the validity of packets based on the source MAC address in
the frame header. The attack packets can still be forwarded normally. The MAC address limit
cannot take effect in this manner.
To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping
on the S9300 to check the CHADDR field carried in DHCP Request messages. If the CHADDR
field matches the source MAC address in the frame header, the message is forwarded. Otherwise,
the message is discarded.
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l
l
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No.
1
2-8
Configuring the DHCP server
Configuring the DHCP relay agent
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Data
Type and number of the interface enabled
with the check function
Issue 01 (2009-07-28)