No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Preventing DoS Attacks by Changing the CHADDR Field

Preventing DoS Attacks by Changing the CHADDR Field

This section describes how to prevent attackers from attacking the Dynamic Host Configuration Protocol (DHCP) server by modifying the client hardware address (CHADDR) field.

Applicable Environment

Attackers may change the CHADDR field carried in DHCP packets to apply for IP addresses continuously. The device, however, only checks validity of packets based on the source media access control (MAC) address in the frame header. Attack packets can still be forwarded and the MAC address limit cannot take effect.

To prevent the attacker from changing the CHADDR field, configure DHCP snooping to check the CHADDR field carried in DHCP request packets. If the CHADDR field matches the source MAC address in the frame header, the packet is forwarded. Otherwise, the packet is discarded.

Pre-configuration Tasks

Before you configure defense against DoS attacks by changing the CHADDR field, configure DHCP Snooping.

Configuration Process

Figure 4-3 Flowchart of configuring defense against DHCP DoS attack

Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Context

Enable DHCP snooping in the following sequence:
  1. Enable DHCP globally.
  2. Enable DHCP snooping globally.
  3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP snooping for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run vlan vlan-id

      The VLAN view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the VLAN.

    6. Run quit

      The system view is displayed.

    7. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled in a BD.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run interface interface-type interface-number

      The interface view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the interface.

    6. Run commit

      The configuration is committed.

Configuring CHADDR Field Check

If you want your device to check the client hardware address (CHADDR) field validity, configure CHADDR field check.

Context

The CHADDR field check function allows the device to check whether the media access control (MAC) address in the CHADDR field of a received Dynamic Host Configuration Protocol (DHCP) request packet matches that in the header of the packet. If they match, the device considers the packet valid and forwards it. If they do not match, the device considers the packet an attack packet and discards it.

Configure CHADDR field check in a VLAN, BD, or interface view.

Procedure

  • Configure CHADDR field check for a virtual local area network (VLAN).
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp check chaddr enable [ interface interface-type interface-number ]

      CHADDR field check is enabled for the VLAN.

    4. Run commit

      The configuration is committed.

  • Enable CHADDR field check in a BD.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp check chaddr enable

      CHADDR field check is enabled.

    4. Run commit

      The configuration is committed.

  • Configure CHADDR field check for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp check chaddr enable

      CHADDR field check is enabled for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the Alarm Function for Discarded DHCP Packets with Incorrect CHADDR Fields

By configuring the function described in this chapter, you can have an alarm generated when a specified number of Dynamic Host Configuration Protocol (DHCP) packets with incorrect client hardware address (CHADDR) fields are discarded.

Context

After CHADDR field check is enabled, the device checks whether the media access control (MAC) address in the CHADDR field of a received DHCP packet matches that in the frame header of the packet. If they match, the device considers the packet valid and forwards it. If they do not match, the device considers the packet an attack packet and discards it. The device generates an alarm when the number of discarded DHCP packets with incorrect CHADDR fields reaches the predetermined threshold.

Configure the alarm function for discarded DHCP packets with incorrect CHADDR fields in a VLAN, BD, or interface view.

Procedure

  • Configure the alarm function for discarded DHCP packets with incorrect CHADDR fields in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping alarm dhcp-chaddr enable [ interface interface-type interface-number ]

      CHADDR field check is enabled for the VLAN.

    4. Run dhcp snooping alarm dhcp-chaddr threshold threshold [ interface interface-type interface-number ]

      The alarm threshold for discarded DHCP packets with incorrect CHADDR fields is configured for the VLAN.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP packets with incorrect CHADDR fields in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping alarm dhcp-chaddr enable

      CHADDR field check is enabled.

    4. Run dhcp snooping alarm dhcp-chaddr threshold threshold

      The alarm threshold for discarded DHCP packets with incorrect CHADDR fields is configured.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP packets with incorrect CHADDR fields in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm dhcp-chaddr enable

      CHADDR field check is enabled for the interface.

    4. Run dhcp snooping alarm dhcp-chaddr threshold threshold-value

      The alarm threshold for discarded DHCP packets with incorrect CHADDR fields is configured for the interface.

    5. Run commit

      The configuration is committed.

Verifying the Configuration of Defense Against DoS Attacks by Changing the CHADDR Field

This section describes how to check the configuration of the client hardware address (CHADDR) field check function.

Prerequisites

The configuration of defense against denial of service (DoS) attacks by changing the CHADDR field is complete.

Procedure

  • Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id } command to check the Dynamic Host Configuration Protocol (DHCP) snooping configuration.

Example

Run the display dhcp snooping command to check the configuration of defense against bogus DHCP server attacks. The command output shows that the CHADDR field check is enabled, and the alarm function for discarded DHCP packets with incorrect CHADDR fields is enabled.

<HUAWEI> display dhcp snooping vlan 10
 dhcp snooping enable
 dhcp snooping check arp enable
 dhcp snooping check ip enable
 dhcp check chaddr enable 
 dhcp snooping alarm dhcp-chaddr enable
 dhcp snooping alarm dhcp-chaddr threshold 200
 dhcp snooping max-user-number 100
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0   
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20093

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next