No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The DHCP attack causes the new hotspot AP getting online slowly

Publication Date:  2012-11-29 Views:  113 Downloads:  0
Issue Description
In a certain city, the new hotspot AP of a newly created WLAN gets online slowly, each hotspot will take 3-4 hours to get online successfully, and when the AP is online, it won’t go offline, the service can run normally. The WLAN is the AC side hang Layer 3 networking tunnel forwarding, and the AC uses the ME60-X3 integrated by the BAS and AC, the version ID is : v600r002c02spc800, the convergence switch is the Huawei S9306, the version ID is: V100R002C00spc200

Alarm Information
Handling Process
1. Login the SW9306, use the command “display mac-address dynamic vlan ***” to check the MAC entry of the problem AP, we find the convergence switch can learn the AP’s MAC address, which illustrates the convergence switch and the AP Layer link is interworking.
2. Login the ME60-X3, execute the command “” to check the using status of the AP management address pool which the problem AP is in, we find the address pool hasn’t been exhausted and the problem AP can’t assign the IP, after 3-4 hours later, the AP can obtain the IP and can get online, which illustrates the problem is caused by the process of the AP acquiring the IP is slow.
3. Implement the AP mirroring capture packet in the POE switch, we find there is only the DHCP discover message which is sending out, but there is not the DHCP offer message which might be received.
4. Login the SW9306, use the command “display cpu-defend statistics all” to check the using status of the CPCAR, we find the traffic of the dhcp-client port in the SLOT 1 is very large, and the packet loss is serious, execute the command “display cpu-defend statistics slot 1” for twice, and the outcome is:
The first:
Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets)
dhcp-client 73740848172 10548268875k 200926476 30133544374
The second:
Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets)
dhcp-client 73742813772 10548651107k 200932092 30134636292
5. Execute the command “display interface gigaethernet ***” to check the downstream port of the SW9306, we find there is a great deal of broadcast packet traffic at a certain downstream port. So, we can conclude that there are lots of useless DHCP broadcast packets reporting to the CPU, as the channel of the CPU has limitation, then the useful DHCP packets of the other new hotspots can’t reach at the ME60-X3, hence, they can’t obtain the IP and finally cause getting online slowly. The mass useless DHCP packets may be caused by the MAC loop drift or DCHP flood attack.
6. Execute the command “mac-flapping check enable” to open the checking function, and then execute “display mac-flapping statistics” to check the status of the loop drift, and we find there isn’t MAC drift, so we can exclude the MAC factor.
7.Capture the packet at the problem downstream port of the SW9306, we find there are mass DHCP broadcast packets sent from the same MAC address at the same time, so we can confirm this MAC is the DHCP flood attack source.
8. On one hand, we can shield the attack source through creating Layer 2 ACL to add the MAC into the blacklist; on the other hand, we must check the hotspot and find the attack source, and then revise the hotspot.

Root Cause
As the AP can’t get online, we firstly judge if the AP has acquired the IP address; if yes, then check if the CAPWAP tunnel has created successfully; if not, then check the middle Layer 2 link, if the link hasn’t problem, then we can fix the problem in the process of DHCP exchanging, we can capture packet in the wire side or use “debug dhcp” to view the DHCP message.

We suggest that the Carrier WLAN hotspot’s POE switch can only be used in the WLAN and not connecting PC. The convergence switch can control the speed of reporting the packet to the CPU via “cpu-defend”, and then restrain the attack, but it may cause the useful packets lost.
Once there appears the AP can’t get online, firstly check if the AP has obtained the IP, if not, use “debug dhcp”or capture packet in the wire side to analyze the problem DHCP packet