No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Bogus DHCP Server Attack

Bogus DHCP Server Attack

Mechanism

Dynamic Host Configuration Protocol (DHCP) clients broadcast DHCP discover packets. Therefore, bogus DHCP servers can also listen to the DHCP discover packets. As shown in Figure 5-7, the bogus DHCP server intercepts the DHCP discover packet sent from the DHCP client and sends the DHCP client a DHCP packet that carries incorrect information, such as and incorrect IP address or incorrect DNS server information. As a result, the client cannot go online.

Figure 5-7 DHCP client sending DHCP discover packets
Figure 5-8 Bogus DHCP server attack

Solution

To protect against attacks from a bogus DHCP server, configure the trusted and untrusted interfaces.

As shown in Figure 5-9, configure an interface as trusted or untrusted. The DHCP Reply (Offer, ACK, and NAK) packets received from the Untrusted interfaces are simply dropped. Only DHCP request and response packets on the trusted interface are sent to the CPU. This function protects against bogus DHCP server attacks and enables DHCP clients to obtain IP addresses from a legitimate DHCP server.

Figure 5-9 Trusted and untrusted mode

To prevent bogus DHCP server attacks, you can also configure whitelist rules for DHCP snooping.

As shown in Figure 5-10, after a whitelist is configured for DHCP snooping, only DHCP packets listed in the whitelist are sent to the CPU, and the DHCP packets not listed in the whitelist are simply forwarded, without being sent to the CPU. This protects the device against attacks.

Figure 5-10 Whitelist for DHCP snooping
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12507

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next