Table of Contents
Advertisement
Configuring DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. For information about the
fields in the DHCP messages, see
The following methods are available to relieve or prevent such attacks.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, perform the following configuration on an interface:
Execute the mac-address max-mac-count command to set the MAC learning limit. For
more information about this command, see Layer 2—LAN Switching Command Reference.
Disable unknown frame forwarding when the MAC learning limit is reached.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same
source MAC address, you can enable MAC address check on the DHCP server. The DHCP
server compares the chaddr field of a received DHCP request with the source MAC address in
the frame header. If they are the same, the DHCP server verifies this request as legal and
processes it. If they are not the same, the server discards the DHCP request.
Procedure
To enable MAC address check:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable MAC address
check.
Configuring DHCP server compatibility
Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.
Configuring the DHCP server to always broadcast responses
By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP
request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always
broadcast a response. This feature is useful when some clients set the broadcast flag to 0 but do not
accept unicast responses.
The DHCP server always unicasts a response in the following situations, regardless of whether this
feature is configured or not:
•
The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).
•
The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is
not 0).
To configure the DHCP server to broadcast all responses:
"DHCP message
format."
Command
system-view
interface interface-type
interface-number
dhcp server check mac-address
113
Remarks
N/A
N/A
By default, MAC address check is
disabled.
Advertisement
Table of Contents
Troubleshooting
