Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."
You can prevent DHCP starvation attacks in the following ways:
If the forged DHCP requests contain different sender MAC addresses, use the mac-address max-mac-count command to set the MAC learning limit on a Layer 2 port. For more information about the command, see Layer 2—LAN Switching Command Reference.
If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This feature compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.
To enable MAC address check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Enable MAC address check. | dhcp snooping check mac-address | By default, MAC address check is disabled. |