Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP 10500 Series Configuration Manual

Layer 3 - ip services

Hide thumbs Also See for 10500 Series:

Security configuration manual (596 pages)

Configuration manual (512 pages)

Specifications (42 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

Table of Contents

To enable MAC address check:

Step

Enter system view.

Enter interface view.

Enable MAC address check.

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

To prevent such attacks, enable DHCP-REQUEST message check on DHCP snooping devices. This feature

uses DHCP snooping entries to check incoming DHCP-REQUEST message. If a matching entry is found

for a message, the DHCP snooping device compares the entry with the message information.

If they are consistent, the DHCP-REQUEST message is considered as a valid lease renewal request

•

and forwarded to the DHCP server.

If they are not consistent, the message is considered as a forged lease renewal request and

•

discarded. If no matching entry is found, the message is considered valid and forwarded to the

DHCP server.

Enable DHCP-REQUEST check only on Layer 2 Ethernet interfaces, and Layer 2 aggregate interfaces.

To enable DHCP-REQUEST message check:

Step

Enter system view.

Enter interface view.

Enable

DHCP-REQUEST

check.

Configuring DHCP packet rate limit

To identify DHCP packets from unauthorized DHCP servers, DHCP snooping delivers all incoming DHCP

packets to the CPU. If a malicious user sends a large number of DHCP requests to the DHCP snooping

device, the CPU of the device is overloaded, and the device may even crash. To solve this problem,

configure DHCP packet rate limit on relevant interfaces.

Follow these guidelines when you configure DHCP packet rate limit:

Configure DHCP packet rate limit only on Layer 2 Ethernet interfaces and Layer 2 aggregate

•

interfaces.

Command

system-view

interface interface-type

interface-number

dhcp-snooping check mac-address

Command

system-view

interface interface-type

interface-number

dhcp-snooping check

request-message

Remarks

N/A

Disabled by default.

Remarks

N/A

Disabled by default.

Table of Contents

Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP 10500 Series Configuration Manual

Configuring DHCP packet rate limit

Troubleshooting

Related Manuals for HP 10500 Series

Related Content for HP 10500 Series

Table of Contents