Defending against attacks from bogus DHCP servers

12

If a bogus DHCP server is deployed on the user side, STAs may obtain invalid IP addresses from the bogus DHCP server but not from an AC or authorized DHCP server.
To prevent such a problem, disable the DHCP trusted port in an AC's service set view (for V200R005 or an earlier version) or VAP profile view (for V200R006 or a later version). A bogus DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When receiving any of these DHCP packets from a user-side interface, an AP considers the packet sender as a bogus DHCP server. If the AP is a Fat AP, it discards the packet. In the AC+Fit AP networking, the AP discards the packet and reports the bogus DHCP server information to the AC.

Other related questions:
Methods of configuring defense against bogus DHCP server attacks on S series switch
S series switches (except S1700 switches) support configuration of the DHCP Snooping trust function to prevent attacks from unauthorized DHCP servers and ensure clients can obtain IP addresses from authorized DHCP servers. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The following provides the procedure for configuring the DHCP Snooping trust function for S series switches: 1. Enable DHCP Snooping globally. [Huawei] dhcp enable [Huawei] dhcp snooping enable 2. Enable DHCP Snooping on user-side interfaces GE0/0/2 and GE0/0/3. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping enable [Huawei-GigabitEthernet0/0/2] quit [Huawei] interface gigabitethernet 0/0/3 [Huawei-GigabitEthernet0/0/3] dhcp snooping enable [Huawei-GigabitEthernet0/0/3] quit 3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted [Huawei-GigabitEthernet0/0/1] quit

How do I defend against bogus DHCP servers at the user side
If a bogus DHCP server is deployed on a customer network, STAs may obtain invalid IP addresses from the bogus DHCP server but not from the AC or authorized DHCP server. To defend against bogus DHCP servers, disable the DHCP trusted port on an AP in service set view (V200R005 and earlier versions) or VAP profile view (V200R006 and later versions). A DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When the AP receives any of these DHCP packets from a user-side interface, it considers the packet sender as a bogus DHCP server. The AP then discards the packets and reports the event to the AC over the CAPWAP tunnel.

After ARP attack defense is configured on S series switches, whether the device can defend against ARP attacks
For S series switches, the ARP attack defense function can only defend against appropriate ARP attacks after it is configured. For example: The rate limit on ARP Miss messages can only mitigate the impact of ARP Miss attacks, but cannot shield them. Also, ARP packet attacks and ARP spoofing attacks cannot be prevented. ARP gateway anti-collision can only defend against attacks from bogus gateways, but cannot shield ARP flood attacks and ARP gateway spoofing attacks.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top