KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

381

382

383

384

385

386

387

388

389

390

Instrumentation monitor:

Protects your network from a variety of other common attacks besides DHCP and ARP attacks,

including:

• Attempts at a port scan to expose a vulnerability in the switch, indicated by an excessive

number of packets sent to closed TCP/UDP ports.

• Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate

traffic to be dropped, indicated by an increased number of learned IP destination addresses.

• Attempts to spread viruses, indicated by an increased number of ARP request packets

• Attempts to exhaust system resources so that sufficient resources are not available to transmit

legitimate traffic, indicated by an unusually high use of specific system resources

• Attempts to attack the switch’s CPU and introduce delay in system response time to new

network events

• Attempts by hackers to access the switch, indicated by an excessive number of failed

logins or port authentication failures

• Attempts to deny switch service by filling the forwarding table, indicated by an increased

number of learned MAC addresses or a high number of MAC address moves from one

port to another

• Attempts to exhaust available CPU resources, indicated by an increased number of learned

MAC address events being discarded

DHCP Snooping

You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized

users adding a DHCP server to the network that then provides invalid configuration data to other

DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish

between trusted ports connected to a DHCP server or switch and untrusted ports connected to

end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets

received on other switch ports are inspected before being forwarded. Packets from untrusted

sources are dropped. Conditions for dropping packets are shown below.

Table 37 Condition for dropping a packet

Packet TypesCondition for Dropping a Packet

DHCPOFFER, DHCPACK, DHCPNACKA packet from a DHCP server received on an untrusted

port

DHCPOFFER, DHCPACK, DHCPNACKIf the switch is configured with a list of authorized DHCP

server addresses and a packet is received from a DHCP

server on a trusted port with a source IP address that is not

in the list of authorized DHCP server addresses.

N/AUnless configured to not perform this check, a DHCP packet

received on an untrusted port where the DHCP client

hardware address field does not match the source MAC

address in the packet

N/AUnless configured to not perform this check, a DHCP packet

containing DHCP relay information (option 82) received

from an untrusted port

DHCPRELEASE, DHCPDECLINEA broadcast packet that has a MAC address in the DHCP

binding database, but the port in the DHCP binding

database is different from the port on which the packet is

received

388 Port Security