How do we validate and fix malformed DHCP packets? How to configure and troubleshoot it in Aruba Instant?
This article will have a focus on understanding, enabling and verifying the feature "Fix Malformed DHCP” on the Aruba Instant Access Points running Aruba Instant 188.8.131.52-184.108.40.206 Software.
DHCPv4, the Dynamic Host Configuration Protocol for IPv4, allows a device attached to the network to automatically learn some or its entire network configuration, including its IP address. Most operating systems include DHCP client software.
DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different.
A typical DHCP packet structure:
Malformed DHCP packets are those which either have an empty or an incorrect value in fields of a DHCP packets, Malformed DHCP packets may arise in the network due to software glitches on the client as well as on the DHCP server side and there are also occasions where a malformed DHCP packet is generated by an attacker to deplete the DHCP pool of the server or DOS attack a resource which doesn’t have a capability to process a malformed DHCP packets like generating a number of malformed DHCP packets that cannot be purged from an interface queue and will result in loss of availability for the interface when the queue fills and is unable to process new packets.
- The ongoing retries unnecessarily raises the workload for DHCP servers. On a large network with many clients, this can degrade or disrupt DHCP service.
- The ongoing retries unnecessarily raises the broadcast packet rate on the network. On a network with a significant number of affected devices, excessive broadcast traffic degrades (and can disrupt) service.
Aruba Instant mitigates and fixes Malformed DHCP packets when the feature Fix malformed DHCP is enabled
If the dhcp-mac and eth-dst-mac fields of the DHCP offer and Acks packet don’t match and client is not in the AP’s association table, then AP will fix the DHCP frame by putting the dhcp-mac as the eth-dst-mac and send it upstream
Note: - Malformed Discover and Request DHCP packets are dropped preventing a client from submitting multiple DHCPrequests with different hardware addresses, thereby preventing DHCP pool depletion.
A DHCP Offer packet capture where Ethernet Source MAC and client MAC address are different
The configuration and verification steps mentioned in this article are tested on IAP 105 running 220.127.116.11-18.104.22.168.
Environment : This article applies to all the IAPs running a minimum OS version of 22.214.171.124-126.96.36.199.
You can configure Fix Malformed DHCP using Instant UI or CLI.
In the Instant UI
1. Click the Security link at the top right corner of Instant main window.
2. Click the Firewall Settings tab. The Firewall Setting tab contents are displayed.
3. Select the following check box:
- Fix Malformed DHCP
4. Click OK.
In the Instant CLI
(Instant Access Point)(config)# attack
(Instant Access Point)(ATTACK)# fix-dhcp-enable
(Instant Access Point)(ATTACK)# end
(Instant Access Point)# commit apply
To view the configuration status:
(Instant Access Point)# show attack config
To view the attack statistics
(Instant Access Point)# show attack stats
arp packet counter 10
drop bad arp packet counter 2
dhcp response packet counter 15
fixed bad dhcp packet counter 1
send arp attack alert counter 3
send dhcp attack alert counter 0
arp poison check counter 0
garp send check counter 0