Enabling DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can use one of the following methods:
Limit the number of ARP entries that a Layer 3 interface can learn.
Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached.
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.
Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.
A MAC address check entry has an aging time. When the aging time expires, both of the following occur:
The entry ages out.
The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.
Procedure
Enter system view.
system-view
Set the aging time for MAC address check entries.
dhcp relay check mac-address aging-time time
The default aging time is 30 seconds.
This command takes effect only after you execute the dhcp relay check mac-address command.
Enter the interface view.
interface interface-type interface-number
Enable MAC address check.
dhcp relay check mac-address
By default, MAC address check is disabled.