Table of Contents
Advertisement
Step
4.
(Optional.) Set the waiting
time after a DHCP snooping
entry change for the DHCP
snooping device to update
the backup file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that
contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This
attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot
obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system
resources. For information about the fields of DHCP packet, see
You can prevent DHCP starvation attacks in the following ways:
•
If the forged DHCP requests contain different sender MAC addresses, use the mac-address
max-mac-count command to set the MAC learning limit on a Layer 2 port. For more
information about the command, see Layer 2—LAN Switching Command Reference.
•
If the forged DHCP requests contain the same sender MAC address, perform this task to
enable MAC address check for DHCP snooping. This feature compares the chaddr field of a
received DHCP request with the source MAC address field in the frame header. If they are the
same, the request is considered valid and forwarded to the DHCP server. If not, the request is
discarded.
To enable MAC address check:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable MAC address check.
Enabling DHCP-REQUEST attack protection
About DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and
DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the
DHCP-REQUEST messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that
no longer need the IP addresses. These forged messages disable the victim DHCP server from
releasing the IP addresses.
Command
dhcp snooping binding
database update interval
interval
Command
system-view
interface interface-type
interface-number
dhcp snooping check mac-address
162
Remarks
The default waiting time is 300
seconds.
When a DHCP snooping entry is
learned, updated, or removed, the
waiting period starts. The DHCP
snooping device updates the
backup file when the specified
waiting period is reached. All
changed entries during the period
will be saved to the backup file.
If no DHCP snooping entry
changes, the backup file is not
updated.
"DHCP message
format."
Remarks
N/A
N/A
By default, MAC address
check is disabled.
Advertisement
Table of Contents
Troubleshooting
