Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.

A MAC address check entry has an aging time. When the aging time expires, both of the following occur:

To enable MAC address check:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the aging time for MAC address check entries.

dhcp relay check mac-address aging-time time

The default aging time is 30 seconds.

This command takes effect only after you execute the dhcp relay check mac-address command.

3. Enter the interface view.

interface interface-type interface-number

N/A

4. Enable MAC address check.

dhcp relay check mac-address

By default, MAC address check is disabled.