R0106-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

Ste

Command

Remarks

3. (Optional.) Manually save

DHCP snooping entries to the

file.

dhcp snooping binding database

update now

DHCP snooping entries are saved to

the database file each time this

command is executed.

4. (Optional.) Set the amount of

time to wait after a DHCP

snooping entry changes before

updating the database file.

dhcp snooping binding database

update interval seconds

The default setting is 300 seconds.

When a DHCP snooping entry is

learned or removed, the device does

not update the database file until

after the specified waiting period.

All changed entries during that

period will be updated.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain

identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts

the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The

DHCP server might also fail to work because of exhaustion of system resources. For information about the

fields of DHCP packet, see "DHCP message format."

otec

t against starvation attacks in the following ways:

• To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender

MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using

the mac-address max-mac-count command. For more information about the command, see Layer

2—LAN Switching Command Reference.

• To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender

MAC address, perform this task to enable MAC address check for DHCP snooping. This function

compares the chaddr field of a received DHCP request with the source MAC address field in the

frame header. If they are the same, the request is considered valid and forwarded to the DHCP

server. If not, the request is discarded.

To enable MAC address check:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter interface view.

interface interface-type interface-number N/A

3. Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address

check is disabled.

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and

DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST

messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no

longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the

IP addresses.