Defense Against DHCP Flooding Attacks

Attack Behavior

When a switch functioning as a DHCP server or relay agent receives a large number of DHCP packets sent by a malicious user, the switch cannot process valid DHCP packets. As a result, clients cannot obtain or renew IP addresses.

Security Policy

Some low-end fixed switches do not support DHCP port-level or user-level protection. On switches that support the two functions, DHCP port-level protection is enabled by default, and DHCP user-level protection needs to be enabled manually.

Configuration Method

Configure DHCP user-level protection based on users' MAC or IP addresses. To prevent valid addresses from being filtered out, remove valid DHCP server addresses from the attack source tracing whitelist.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy antiatk
[HUAWEI-cpu-defend-policy-antiatk] auto-defend enable
[HUAWEI-cpu-defend-policy-antiatk] auto-defend threshold 30
[HUAWEI-cpu-defend-policy-antiatk] auto-defend attack-packet sample 5
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend trace-type source-portvlan
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend protocol tcp telnet ttl-expired igmp icmp dhcpv6 mld nd
[HUAWEI-cpu-defend-policy-antiatk] auto-defend action deny timer 300
[HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 1 interface gigabitethernet 1/0/1 //Add the uplink or network-side interface to the whitelist.
[HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 2 interface gigabitethernet 2/0/0 //Add the uplink or network-side interface to the whitelist.
[HUAWEI-cpu-defend-policy-antiatk] quit
[HUAWEI] cpu-defend-policy antiatk  //Apply the attack defense policy to the main control board.
[HUAWEI] cpu-defend-policy antiatk global  //Apply the attack defense policy to all interface boards or the switch.