No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against DHCP Exhaustion Attacks

Configuring Defense Against DHCP Exhaustion Attacks

This section describes how to prevent the attackers from attacking the Dynamic Host Configuration Protocol (DHCP) server by forging the DHCP packets for extending IP address leases.

Applicable Environment

Attackers disguise as authorized clients to send DHCP request packets for extending the IP address lease. As a result, DHCP servers cannot reclaim IP addresses assigned to clients.

This problem can be resolved by enabling DHCP snooping. After DHCP snooping is enabled, the device checks whether the source IP address, source MAC address, virtual local area network (VLAN) ID, and interface information carried in a received DHCP request packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.

Pre-configuration Tasks

Before you configure defense against attacks by sending bogus DHCP packets to extend IP address leases, configure the DHCP server.

Configuration Process

Figure 4-4 Flowchart for configuring defense against DHCP exhaustion attacks

Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Context

Enable DHCP snooping in the following sequence:
  1. Enable DHCP globally.
  2. Enable DHCP snooping globally.
  3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP snooping for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run vlan vlan-id

      The VLAN view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the VLAN.

    6. Run quit

      The system view is displayed.

    7. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled in a BD.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run interface interface-type interface-number

      The interface view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the interface.

    6. Run commit

      The configuration is committed.

Enabling DHCP Request Packet Check

To prevent unauthorized clients from sending Dynamic Host Configuration Protocol (DHCP) request packets to request IP addresses, the device checks whether information carried in a received DHCP request packet matches an entry in the DHCP snooping binding table. The checked information includes the source IP and MAC addresses. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.

Context

In dynamic address assignment mode, the device generates a DHCP snooping binding table to record DHCP client information. In static address assignment mode, configure a DHCP static binding table to record DHCP client information.

Enable DHCP request packet check in a VLAN, BD, or interface view.

Procedure

  • Enable DHCP request packet check for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping check dhcp-request enable [ interface interface-type interface-number ]

      DHCP request packet check is enabled for the VLAN.

    4. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping check dhcp-request enable

      DHCP request packet check is enabled.

    4. Run commit

      The configuration is committed.

  • Enable DHCP request packet check for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

      The interface is the user-side interface.

    3. Run dhcp snooping check dhcp-request enable

      DHCP request packet check is enabled for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring Option 82 Field Insertion

After the Option 82 function is enabled on a device, the device can record the location information of the DHCP client or create binding entries with accurate interface information based on the Option 82 information.

Context

The Option 82 field contains the location information of Dynamic Host Configuration Protocol (DHCP) hosts, such as information about the login interface, virtual local area network (VLAN), and address. After the Option 82 field insertion function is configured, the device can set up dynamic binding entries with accurate interface information. Based on the Option 82 field, the DHCP server assigns IP addresses and policies for DHCP clients.

Procedure

  • Configure Option 82 field insertion in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 insert enable [ interface interface-type interface-number ]

      Or dhcp option82 rebuild enable [ interface interface-type interface-number ]

      Option 82 field insertion is enabled.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.

    4. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp option82 insert enable

      Option 82 insertion is enabled.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field in the packet.

    4. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp option82 insert enable

      Or dhcp option82 rebuild enable

      Option 82 field insertion is enabled for the interface.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.

    4. Run commit

      The configuration is committed.

Follow-up Procedure

After Option 82 field insertion is enabled, you can configure the formats of the Option 82 field and sub-option 9 in the Option 82 field as required. You can configure the format of the Option 82 field in a VLAN view or an interface view.

  • Configure the format of the Option 82 field in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 format { type1 | type2 | self-define self-define | cn-telecom } interface interface-type interface-number

      The format of the Option 82 field is configured for the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure the format of the Option 82 field for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run

      dhcp option82 format { self-define extendtex | type1 | type2 | cn-telecom }

      Or dhcp option82 { circuit-id | remote-id } format self-define extendtex

      The format of the Option 82 field is configured for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the Alarm Function for Discarded DHCP Packets for Extending the IP Address Lease

By configuring the function described in this chapter, you can have an alarm generated when a specified number of Dynamic Host Configuration Protocol (DHCP) packets for extending the IP address lease are discarded.

Context

After DHCP request packet check is enabled, the device checks whether the source IP address, source MAC address, virtual local area network (VLAN) ID, and interface information carried in a received DHCP request packet match an entry in the DHCP snooping binding table. If no matching entry exists, the device considers the packet an attack packet and discards it. The device generates an alarm when the number of discarded DHCP packets for extending the IP address lease exceeds the threshold.

Configure the alarm function for discarded DHCP packets for extending the IP address lease in a VLAN, BD, or interface view.

Procedure

  • Configure the alarm function for discarded DHCP packets for extending the IP address lease in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping alarm dhcp-request enable [ interface interface-type interface-number ]

      DHCP request packet check is enabled for the VLAN.

      By default, DHCP request packet check is disabled for a VLAN.

    4. Run dhcp snooping alarm dhcp-request threshold threshold [ interface interface-type interface-number ]

      The alarm threshold for the number of discarded DHCP packets for extending the IP address lease is configured for the VLAN.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP packets for extending the IP address lease in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping alarm dhcp-request enable

      Check for DHCP packets for extending the IP address lease is enabled.

    4. Run dhcp snooping alarm dhcp-request threshold threshold-value

      An alarm threshold for the number of discarded DHCP packets for extending the IP address lease is configured.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP packets for extending the IP address lease in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm dhcp-request enable

      DHCP request packet check is enabled for the interface.

    4. Run dhcp snooping alarm dhcp-request threshold threshold-value

      The alarm threshold for the number of discarded DHCP packets for extending the IP address lease is configured for the interface.

    5. Run commit

      The configuration is committed.

Verifying the Configuration of Defense Against DHCP Exhaustion Attacks

This section describes how to check the configuration of defense against the attacker from sending bogus Dynamic Host Configuration Protocol (DHCP) packets for extending the IP address leases.

Prerequisites

The configurations of defense against the attacker from sending bogus DHCP packets for extending the IP address leases are complete.

Procedure

  • Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id } command to check the DHCP snooping configuration.
  • Run the display dhcp option82 configuration [ interface interface-type interface-number | vlan vlan-id | bridge-domain bd-id ] command to check the configuration of the option 82 field insertion function.

Example

Run the display dhcp snooping command to check the configuration of defense against the attacker from sending bogus DHCP packets for extending the IP address leases.
<HUAWEI> display dhcp snooping vlan 10
 dhcp snooping enable
 dhcp snooping check arp enable
 dhcp snooping check ip enable
 dhcp check chaddr enable
 dhcp snooping alarm dhcp-chaddr enable
 dhcp snooping alarm dhcp-chaddr threshold 200
 dhcp snooping check dhcp-request enable 
 dhcp snooping alarm dhcp-request enable
 dhcp snooping alarm dhcp-request threshold 300
 dhcp snooping max-user-number 100
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&srcmac total       0
 dhcp-reply total           0              

Run the display dhcp option82 configuration interface Gigabitethernet 0/1/0 command to check the configuration of the option 82 insertion function on GE0/1/0.

<HUAWEI> display dhcp option82 configuration interface Gigabitethernet 0/1/0
#
interface Gigabitethernet0/1/0

 dhcp option82 insert enable
#
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25899

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next