Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Enable periodic refresh of
dynamic relay entries.
3.
Set the refresh interval.
Configuring DHCP flood attack protection
About DHCP flood attack protection
The DHCP flood attack protection enables the DHCP relay agent to detect DHCP flood attacks
according to the DHCP packet rate threshold on a per-MAC basis.
When the DHCP relay agent receives a DHCP packet from a client (MAC address), it creates a
DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address
reaches the upper limit in the detection duration, the relay agent determines that the client is
launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the
DHCP relay agent discards the DHCP packets from that client. When the aging time of the entry is
reached, the DHCP relay agent deletes the entry. If a DHCP packet from the MAC address arrives
later, the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP
packets for that client again.
Procedure
To configure DHCP flood attack protection:
Step
1.
Enter system view.
2.
(Optional) Set the DHCP
packet rate threshold for
DHCP flood attack detection.
3.
(Optional) Set the DHCP
flood attack entry aging time.
4.
Enter interface view.
5.
Enable DHCP flood attack
protection.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. The following methods are
available to relieve or prevent such attacks.
•
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, you can use one of the following methods:
Command
system-view
dhcp relay client-information refresh
enable
dhcp relay client-information refresh
[ auto | interval interval ]
Command
system-view
dhcp flood-protection
threshold packet-number
milliseconds
dhcp flood-protection
aging-time time
interface interface-type
interface-number
dhcp flood-protection enable
139
Remarks
N/A
By default, periodic refresh
of dynamic relay entries is
enabled.
By default, the refresh
interval is auto, which is
calculated based on the
number of total relay entries.
Remarks
N/A
By default, the device allows a
maximum of 6 DHCP packets per
5000 milliseconds from each
DHCP client.
The default setting is 300
seconds.
N/A
By default, DHCP flood attack
protection is disabled.
Advertisement
Table of Contents
Troubleshooting
