Enabling Dhcp Starvation Attack Protection - HP 10500 Series Configuration Manual

Layer 3 - ip services

Hide thumbs Also See for 10500 Series:

Security configuration manual (596 pages)

Configuration manual (512 pages)

Specifications (42 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

Table of Contents

To configure DHCP snooping entries backup:

Step

Enter system view.

Specify the name of the file for

storing DHCP snooping entries.

Back up DHCP snooping entries to

the file.

Set the interval at which the DHCP

snooping entry file is refreshed.

After DHCP snooping is disabled with the undo dhcp-snooping command, the device deletes all DHCP

snooping entries, including those stored in the file.

If you specify a subdirectory in the name of the file that stores DHCP snooping entries, make sure the

subdirectory is available on each MPU. Otherwise, the system fails to create the file on MPUs without the

specified subdirectory. To solve this problem, cancel the current configuration, create the subdirectory,

and specify the file name.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of

the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail

to work because of exhaustion of system resources. Protect against starvation attacks in the following

ways:

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source

•

MAC addresses, limit the number of MAC addresses that a Layer 2 port can learn.

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source

•

MAC address, enable MAC address check on the DHCP snooping device. With this function

enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with

the source MAC address field of the frame.

If they are the same, the request is considered valid and forwarded to the DHCP server.

If they are not the same, the request is discarded.

Enable MAC address check only on Layer 2 Ethernet interfaces, and Layer 2 aggregate interfaces.

Command

system-view

dhcp-snooping binding

database filename

filename

dhcp-snooping binding

database update now

dhcp-snooping binding

database update interval

minutes

Remarks

N/A

Not specified by default.

DHCP snooping entries are stored

immediately after this command is

used and then updated at the

interval set by the dhcp-snooping

binding database update interval

command.

Optional.

DHCP snooping entries are stored to

the file each time this command is

used.

Optional.

By default, the file is not refreshed

periodically.

Table of Contents

Enabling Dhcp Starvation Attack Protection - HP 10500 Series Configuration Manual

Enabling DHCP starvation attack protection

Troubleshooting

Related Manuals for HP 10500 Series

Related Content for HP 10500 Series

Table of Contents