The techniques that are used to mitigate CAM table flooding can
also be used to mitigate DHCP starvation by limiting the number of MAC
addresses on a switch port. As implementation of RFC 3118, Authentication for
DHCP Messages, increases, DHCP starvation attacks will become more difficult.
Additional features in the Catalyst family of switches, such as the DHCP
snooping feature, can be used to help guard against a DHCP starvation attack.
DHCP snooping is a security feature that filters untrusted DHCP messages and
builds and maintains a DHCP snooping binding table. The binding table contains
information such as the MAC address, IP address, lease time, binding type, VLAN
number and the interface information corresponding to the local untrusted
interfaces of a switch. Untrusted messages are those received from outside the
network or firewall and untrusted switch interfaces are ones that are
configured to receive such messages from outside the network or firewall.
The following commands can be used to mitigate DHCP starvation attacks using
DHCP snooping:
switch(config)#ip dhcp
snooping
switch(config)#ip dhcp snooping vlan
vlan_id {,vlan_id}
switch(config-if)#ip dhcp
snooping trust
switch(config-if)#ip dhcp snooping limit
rate rate