Configuring DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields in the DHCP messages, see "DHCP message format."
The following methods are available to relieve or prevent such attacks.
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, perform the following configuration on an interface:
Execute the mac-address max-mac-count command to set the MAC learning limit. For more information about this command, see Layer 2—LAN Switching Command Reference.
Disable unknown frame forwarding when the MAC learning limit is reached.
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP server. The DHCP server compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP server verifies this request as legal and processes it. If they are not the same, the server discards the DHCP request.
Procedure
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Enable MAC address check.
dhcp server check mac-address
By default, MAC address check is disabled.