89
Enabling DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and
DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the
DHCP-REQUEST messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that
no longer need the IP addresses. These forged messages disable the victim DHCP server from
releasing the IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for
legitimate DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP
snooping entries to check incoming DHCP-REQUEST messages.
• If a matching entry is found for a message, this feature compares the entry with the message
information.
{ If they are consistent, the message is considered as valid and forwarded to the DHCP
server.
{ If they are different, the message is considered as a forged message and is discarded.
• If no matching entry is found, the message is considered valid and forwarded to the DHCP
server.
To enable DHCP-REQUEST check:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Enable DHCP-REQUEST
check.
dhcp snooping check
request-message
By default, DHCP-REQUEST
check is disabled.
You can enable
DHCP-REQUEST check only on
Layer 2 Ethernet interfaces and
Layer 2 aggregate interfaces.
Setting the maximum number of DHCP snooping
entries
Perform this task to prevent the system resources from being overused.
To set the maximum number of DHCP snooping entries:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Set the maximum number of
DHCP snooping entries for
the interface to learn.
dhcp snooping
max-learning-num
number
By default, the number of DHCP
snooping entries for an interface
to learn is unlimited.
To Next Page
Loading...
Need help?
General
