No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configure attack defense to solve DHCP attack

Publication Date:  2014-03-29 Views:  144 Downloads:  0
Issue Description
The topology is shown as below, DHCP client cannot get ip address normally.


Alarm Information
None
Handling Process
1. Configuring Attack Source Tracing to find out the attack source
<S9300>system-view
[S9300] cpu-defend policy test
[S9300-cpu-defend-policy-test] auto-defend enable
[S9300-cpu-defend-policy-test] auto-defend threshold 128 
[S9300-cpu-defend-policy-test] auto-defend attack-packet sample 16 
[S9300-cpu-defend-policy-test] auto-defend trace-type source-ip
[S9300-cpu-defend-policy-test] auto-defend protocol dhcp
[S9300-cpu-defend-policy-test] auto-defend alarm enable
[S9300-cpu-defend-policy-test] auto-defend alarm threshold 128
[S9300] cpu-defend policy test global
2. The client xxxx-xxxx-xxxx  sent lots of dhcp packets. It should be the attack source
<S9300>display auto-defend attack-source slot 1 
  Attack Source User Table (LPU1):                                             
  -------------------------------------------------------------------------    
      MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL          
  -------------------------------------------------------------------------    
  xxxx-xxxx-xxxx   GigabitEthernet1/0/10        31              574496        
3. Configure Attack Defense as below:
#                                                                              
cpu-defend policy dhcp                                                         
                           
auto-defend enable                                                            
auto-defend attack-packet sample 5                                            
auto-defend threshold 30                                                      
auto-defend alarm enable                                                      
auto-defend trace-type source-mac source-ip source-portvlan                   
auto-defend protocol arp dhcp                                                 
auto-defend action deny                                                       
#                 
4. Check cpu-defend statistics again and found no DHCP packets dropped.
<S9300>display cpu-defend statistics packet-type dhcp-server slot 1
                                                                               
Statistics on slot 1:                                                         
-------------------------------------------------------------------------------
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)   
-------------------------------------------------------------------------------
dhcp-server             1057668      0            2987           0
-------------------------------------------------------------------------------
<S9300>
5. After the Attack Defense configuration, the client can get ip address through DHCP normally.                    
Root Cause
After checking cpu-defend statistics on S9300, found dhcp packets were dropped.
[S9300]dis cpu-defend statistics slot 1
Statistics on slot 1:
-------------------------------------------------------------------------------
Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)
-------------------------------------------------------------------------------
arp-miss             2499218447     23547672        29272831           35952
arp-reply             198284052            0         2931861               0
arp-request          6486532327      8194666        95362674          107584
bgp                   199408567        12512         2031361              22
bgp4plus                      0            0               0               0
dhcp-client             1255439            0            3091               0
dhcp-server         1153087750k 15106170826k      3030762475     39730211828
Suggestions
Attack defense is an effective way to solve attack incident.

END