Enabling DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
If a matching entry is found for a message, this feature compares the entry with the message information.
If they are consistent, the message is considered as valid and forwarded to the DHCP server.
If they are different, the message is considered as a forged message and is discarded.
If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
To enable DHCP-REQUEST check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Enable DHCP-REQUEST check. | dhcp snooping check request-message | By default, DHCP-REQUEST check is disabled. |