Preventing DoS Attacks by Changing the CHADDRField

This section describes how to prevent attackers from attacking the Dynamic Host Configuration Protocol (DHCP) server by modifying the client hardware address (CHADDR) field.

Applicable Environment

Attackers may change the CHADDR field carried in DHCP packets to apply for IP addresses continuously. The device, however, only checks validity of packets based on the source media access control (MAC) address in the frame header. Attack packets can still be forwarded and the MAC address limit cannot take effect.

To prevent the attacker from changing the CHADDR field, configure DHCP snooping to check the CHADDR field carried in DHCP request packets. If the CHADDR field matches the source MAC address in the frame header, the packet is forwarded. Otherwise, the packet is discarded.

Pre-configuration Tasks

Before you configure defense against DoS attacks by changing the CHADDR field, configure DHCP Snooping.

Enabling DHCP Snooping: To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Configuring CHADDR Field Check: If you want your device to check the client hardware address (CHADDR) field validity, configure CHADDR field check.

(Optional) Configuring the Alarm Function forDiscarded DHCP Packets with Incorrect CHADDR Fields: By configuring the function described in this chapter, you can have an alarm generated when a specified number of Dynamic Host Configuration Protocol (DHCP) packets with incorrect client hardware address (CHADDR) fields are discarded.

Checking the Configuration: This section describes how to check the configuration of the client hardware address (CHADDR) field check function.