Methods of configuring defense against bogus DHCP server attacks on S series switch

18

S series switches (except S1700 switches) support configuration of the DHCP Snooping trust function to prevent attacks from unauthorized DHCP servers and ensure clients can obtain IP addresses from authorized DHCP servers. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The following provides the procedure for configuring the DHCP Snooping trust function for S series switches:
1. Enable DHCP Snooping globally.
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
2. Enable DHCP Snooping on user-side interfaces GE0/0/2 and GE0/0/3.
[Huawei] interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2] dhcp snooping enable
[Huawei-GigabitEthernet0/0/2] quit
[Huawei] interface gigabitethernet 0/0/3
[Huawei-GigabitEthernet0/0/3] dhcp snooping enable
[Huawei-GigabitEthernet0/0/3] quit
3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface.
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] dhcp snooping trusted
[Huawei-GigabitEthernet0/0/1] quit

Other related questions:
Defending against attacks from bogus DHCP servers
If a bogus DHCP server is deployed on the user side, STAs may obtain invalid IP addresses from the bogus DHCP server but not from an AC or authorized DHCP server. To prevent such a problem, disable the DHCP trusted port in an AC's service set view (for V200R005 or an earlier version) or VAP profile view (for V200R006 or a later version). A bogus DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When receiving any of these DHCP packets from a user-side interface, an AP considers the packet sender as a bogus DHCP server. If the AP is a Fat AP, it discards the packet. In the AC+Fit AP networking, the AP discards the packet and reports the bogus DHCP server information to the AC.

After ARP attack defense is configured on S series switches, whether the device can defend against ARP attacks
For S series switches, the ARP attack defense function can only defend against appropriate ARP attacks after it is configured. For example: The rate limit on ARP Miss messages can only mitigate the impact of ARP Miss attacks, but cannot shield them. Also, ARP packet attacks and ARP spoofing attacks cannot be prevented. ARP gateway anti-collision can only defend against attacks from bogus gateways, but cannot shield ARP flood attacks and ARP gateway spoofing attacks.

How to configure ARP attack defense on S series switches
For S series switches (except S1700 switches), you can configure ARP security to prevent ARP attacks. A switch may receive a large number of ARP packets when acting as a gateway. In this case, configure ARP security on the switch to protect the gateway. For example, configure the rate limit on ARP packets and ARP Miss messages to prevent ARP flood attacks. E series switches do not support the rate limit on ARP Miss messages. Common ARP attacks include: ARP flood attack is also called Denial of Service (DoS) attack. ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures. ARP security protects network devices against ARP attacks by learning ARP entries, limiting the ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

How do I defend against bogus DHCP servers at the user side
If a bogus DHCP server is deployed on a customer network, STAs may obtain invalid IP addresses from the bogus DHCP server but not from the AC or authorized DHCP server. To defend against bogus DHCP servers, disable the DHCP trusted port on an AP in service set view (V200R005 and earlier versions) or VAP profile view (V200R006 and later versions). A DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When the AP receives any of these DHCP packets from a user-side interface, it considers the packet sender as a bogus DHCP server. The AP then discards the packets and reports the event to the AC over the CAPWAP tunnel.

Method to configure DHCP server on S series switches
For S series switches excluding the S1700, the switch can function as the DHCP server to assign IP addresses to DHCP clients. Two configuration modes are available: - Interface address pool: This mode is simple. It only applies to scenario where the DHCP server and DHCP client are located on the same network segment, that is, there is no need to deploy the DHCP relay agent. - Global address pool: It applies to the scenario where the DHCP server and DHCP client are located on different segments, that is, the DHCP relay agent needs to be deployed. It also applies to the scenario where the DHCP server and DHCP client are located on the same network segment and IP addresses to be assigned to clients on multiple interfaces.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top