【HUAWEI&H3C】对比华为和华三的DHCP Relay和DHCP Snooping配置
原理
DHCP 饿死攻击
DHCP饿死攻击是指攻击者伪造chaddr字段各不相同的DHCP请求报文,向DHCP服务器申请大量的IP地址,导致DHCP服务器地址池中的地址耗尽,无法为合法的DHCP客户端分配IP地址,或导致DHCP服务器消耗过多的系统资源,无法处理正常业务。
如果封装DHCP请求报文的数据帧的源MAC地址各不相同,则通过mac-address max-mac-count命令限制端口可以学习到的MAC地址数,并配置学习到的MAC地址数达到最大值时,丢弃源MAC地址不在MAC地址表里的报文,能够避免攻击者申请过多的IP地址,在一定程度上缓解DHCP饿死攻击。此时,不存在DHCP饿死攻击的端口下的DHCP客户端可以正常获取IP地址,但存在DHCP饿死攻击的端口下的DHCP客户端仍可能无法获取IP地址。
如果封装DHCP请求报文的数据帧的MAC地址都相同,则通过mac-address max-mac-count命令无法防止DHCP饿死攻击。在这种情况下,需要启用DHCP Snooping的MAC地址检查功能。启用该功能后,DHCP Snooping设备检查接收到的DHCP请求报文中的chaddr字段和数据帧的源MAC地址字段是否一致。如果一致,则认为该报文合法,将其转发给DHCP服务器;如果不一致,则丢弃该报文。
拓扑图如下:
==============================================================
【华为】
步骤1:配置AR1的DHCP服务和AR2的DHCP中继服务
AR1:
#
dhcp enable
#
ip pool AR1
gateway-list 192.168.12.1
network 192.168.12.0 mask 255.255.255.0
#
ip pool AR2
gateway-list 192.168.23.2
network 192.168.23.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 192.168.12.1 255.255.255.0
dhcp select global
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.12.0 0.0.0.255
AR2:
#本台设备也要开启DHCP服务
dhcp enable
#
interface GigabitEthernet0/0/0
ip address 192.168.12.2 255.255.255.0
#在接口上开启DHCP中继服务
interface GigabitEthernet0/0/1
ip address 192.168.23.2 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.12.1
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.12.0 0.0.0.255
network 192.168.23.0 0.0.0.255
步骤2:验证PC1和PC2能否正常获得IP地址
步骤3:开启DHCP伪装者的DHCP服务
AR3:
#
dhcp enable
#
ip pool AR3
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.10.10.1 255.255.255.0
dhcp select global
#
步骤4:验证PC2,此时PC2就有一定的概率会获取到AR3伪装者的IP
步骤5:配置LSW2的DHCP Snooping功能,同时开启防饿死攻击和防中间人攻击
#
dhcp enable
#
dhcp snooping enable
#配置防ARP中间人攻击
arp dhcp-snooping-detect enable
#
interface Ethernet0/0/1
dhcp snooping enable
dhcp snooping trusted
#
interface Ethernet0/0/2
dhcp snooping enable
#配置防DHCP饿死攻击
dhcp snooping check dhcp-chaddr enable
#
interface Ethernet0/0/3
dhcp snooping enable
#
配置完成,可以看到LSW2上的DHCP Snooping绑定表
=====================================================================
【华三】
R1:
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.12.0 0.0.0.255
#
dhcp enable
#
dhcp server ip-pool pool1
gateway-list 192.168.12.1
network 192.168.12.0 mask 255.255.255.0
#
dhcp server ip-pool pool2
gateway-list 192.168.23.2
network 192.168.23.0 mask 255.255.255.0
#
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
dhcp select server
-----------------------
R2:
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.12.0 0.0.0.255
network 192.168.23.0 0.0.0.255
#
dhcp enable
#
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
#
interface GigabitEthernet0/1
ip address 192.168.23.2 255.255.255.0
dhcp select relay
dhcp relay server-address 192.168.12.1
--------------------------------
SW5:
#
dhcp snooping enable
#
interface GigabitEthernet1/0/1
port link-mode bridge
combo enable fiber
dhcp snooping trust
#
interface GigabitEthernet1/0/2
dhcp snooping check mac-address
#
interface GigabitEthernet1/0/3
dhcp snooping check mac-address
#