How do I defend against bogus DHCP servers at the user side

8

If a bogus DHCP server is deployed on a customer network, STAs may obtain invalid IP addresses from the bogus DHCP server but not from the AC or authorized DHCP server.

To defend against bogus DHCP servers, disable the DHCP trusted port on an AP in service set view (V200R005 and earlier versions) or VAP profile view (V200R006 and later versions). A DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When the AP receives any of these DHCP packets from a user-side interface, it considers the packet sender as a bogus DHCP server. The AP then discards the packets and reports the event to the AC over the CAPWAP tunnel.

Other related questions:
Methods of configuring defense against bogus DHCP server attacks on S series switch
S series switches (except S1700 switches) support configuration of the DHCP Snooping trust function to prevent attacks from unauthorized DHCP servers and ensure clients can obtain IP addresses from authorized DHCP servers. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The following provides the procedure for configuring the DHCP Snooping trust function for S series switches: 1. Enable DHCP Snooping globally. [Huawei] dhcp enable [Huawei] dhcp snooping enable 2. Enable DHCP Snooping on user-side interfaces GE0/0/2 and GE0/0/3. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping enable [Huawei-GigabitEthernet0/0/2] quit [Huawei] interface gigabitethernet 0/0/3 [Huawei-GigabitEthernet0/0/3] dhcp snooping enable [Huawei-GigabitEthernet0/0/3] quit 3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted [Huawei-GigabitEthernet0/0/1] quit

Defending against attacks from bogus DHCP servers
If a bogus DHCP server is deployed on the user side, STAs may obtain invalid IP addresses from the bogus DHCP server but not from an AC or authorized DHCP server. To prevent such a problem, disable the DHCP trusted port in an AC's service set view (for V200R005 or an earlier version) or VAP profile view (for V200R006 or a later version). A bogus DHCP server sends three types of DHCP packets: Offer, ACK, and NACK. When receiving any of these DHCP packets from a user-side interface, an AP considers the packet sender as a bogus DHCP server. If the AP is a Fat AP, it discards the packet. In the AC+Fit AP networking, the AP discards the packet and reports the bogus DHCP server information to the AC.

DHCP client cannot obtain a correct IP address
The request packets (DHCP discover) are broadcast by the DHCP clients. If multiple DHCP servers are located on the same subnet (for example, bogus DHCP server), the clients may obtain IP addresses from a bogus DHCP server. To address this problem, configure DHCP snooping. Then clients can receive DHCP packets from only the trusted DHCP server. Perform the following configuration: [Huawei] dhcp enable [Huawei] dhcp snooping enable [Huawei] interface gigabitethernet 1/0/1 //Enter the view of the interface connected to the DHCP client. [Huawei-GigabitEthernet1/0/1] dhcp snooping enable [Huawei-GigabitEthernet1/0/1] quit [Huawei] interface gigabitethernet 1/0/2 [Huawei-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interface of the DHCP server as the trusted interface. [Huawei-GigabitEthernet1/0/2] quit Note: - When you configure DHCP snooping on a Layer 2 access device, steps 1, 2, and 3 are mandatory and must be performed in the following sequence. - When you configure DHCP snooping on a DHCP relay agent, only steps 1 and 2 are required.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top