S Series Switches Security Hardening Guide(V200)
DHCP Security
Defense Against Bogus DHCP Server Attacks
Attack Behavior
No authentication mechanism is available between DHCP servers and clients. Therefore, any DHCP server newly deployed on a network can allocate IP addresses and other network parameters to DHCP clients. A bogus DHCP server connects to an aggregation switch through a Layer 2 network. When clients connected to the switches apply for IP addresses through DHCP, the bogus DHCP server responds before other servers and assigns IP addresses to the clients, leading to IP address conflict and affecting network services.
Security Policy
To defend against the preceding attack, configure the following security policies on a switch:
DHCP server validity check
Configure traffic policies to enable the switch to forward reply packets from only valid DHCP servers.
DHCP Snooping
Configure DHCP snooping and configure valid DHCP server interfaces as trusted interfaces to filter out invalid DHCP servers.
Configuration Method
Configure DHCP server filtering.
Valid DHCP servers have specific IP addresses. The reply packets from DHCP servers are UDP packets and use source port 67. Configure policies to filter out bogus DHCP packets.
Based on the valid interfaces on DHCP servers, configure the following policies:
Configure rules to filter valid and bogus DHCP servers.
<HUAWEI> system-view [HUAWEI] acl name dhcp-valid [HUAWEI-acl-adv-dhcp-valid] rule permit udp source-port eq bootps [HUAWEI-acl-adv-dhcp-valid] quit [HUAWEI] acl name dhcp-invalid [HUAWEI-acl-adv-dhcp-invalid] rule deny udp source-port eq bootps [HUAWEI-acl-adv-dhcp-invalid] quit
Apply the filtering rule that permits valid interfaces.
[HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] traffic-filter inbound acl name dhcp-valid [HUAWEI-GigabitEthernet1/0/1] quit
Apply the filtering rule that prohibits invalid interfaces.
[HUAWEI] traffic-filter inbound acl name dhcp-invalid
Configure DHCP snooping.
Configure the interface connected to the valid DHCP server as a trusted interface.<HUAWEI> system-view [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted [HUAWEI-GigabitEthernet1/0/1] quit
Configure DHCP snooping for other user-side interfaces or VLANs.
[HUAWEI] interface gigabitethernet 2/0/0 [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable
Verifying the Security Hardening Result
- Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan [ vlan-id ]] { inbound | outbound } [ verbose ] command to check the configuration of an ACL-based simplified traffic policy applied to the system, a VLAN, or an interface.
- Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number | bridge-domain bd-id ] command to check the DHCP snooping configuration.
Defense Against DHCP Flooding Attacks
Attack Behavior
When a switch functioning as a DHCP server or relay agent receives a large number of DHCP packets sent by a malicious user, the switch cannot process valid DHCP packets. As a result, clients cannot obtain or renew IP addresses.
Security Policy
DHCP port-level protection
The switch monitors the DHCP packet rate based on ports. When the rate of DHCP packets sent to the control plane from a port exceeds the specified threshold, the switch sends these DHCP packets to the control plane through an independent channel. This avoids impact on valid DHCP packets.
DHCP user-level protection
The switch monitors the rate of DHCP packets sent to the control plane based on users (MAC or IP addresses). When the rate of DHCP packets from a user exceeds the specified threshold, the switch discards this user's DHCP packets for a certain period of time.
Some low-end fixed switches do not support DHCP port-level or user-level protection. On switches that support the two functions, DHCP port-level protection is enabled by default, and DHCP user-level protection needs to be enabled manually.
Configuration Method
Configure DHCP user-level protection based on users' MAC or IP addresses. To prevent valid addresses from being filtered out, add valid DHCP server addresses to the attack source tracing whitelist.
<HUAWEI> system-view [HUAWEI] cpu-defend policy antiatk [HUAWEI-cpu-defend-policy-antiatk] auto-defend enable [HUAWEI-cpu-defend-policy-antiatk] auto-defend threshold 30 [HUAWEI-cpu-defend-policy-antiatk] auto-defend attack-packet sample 5 [HUAWEI-cpu-defend-policy-antiatk] undo auto-defend trace-type source-portvlan [HUAWEI-cpu-defend-policy-antiatk] undo auto-defend protocol tcp telnet ttl-expired igmp icmp dhcpv6 mld nd [HUAWEI-cpu-defend-policy-antiatk] auto-defend action deny timer 300 [HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 1 interface gigabitethernet 1/0/1 //Add the uplink interface or network-side interface to the whitelist. [HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 2 interface gigabitethernet 2/0/0 //Add the uplink interface or network-side interface to the whitelist. [HUAWEI-cpu-defend-policy-antiatk] quit [HUAWEI] cpu-defend-policy antiatk //Apply the attack defense policy to the MPU. [HUAWEI] cpu-defend-policy antiatk global //Apply the attack defense policy to all LPUs or the device.
Verifying the Security Hardening Result
Run the display auto-defend configuration command to check the configuration of attack source tracing.