DHCP
- Ashish Khabde
Analytics
The following table lists the auto rules that are used to mitigate DHCP DDoS attacks on your advanced appliance.
| Rule ID | Rule Type | Rule Name | Description | Enable/Disable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 100200110 | Auto | EARLY PASS IPv4 TCP messages for Kerberos | This rule passes TCP IPv4 Kerberos messages initiated by the appliance if the packet rate is less than the Packets per second value. If the packets sent are over this value, the appliance allows traffic up to the rate limit and then blocks traffic for the remainder of the Drop interval. | Enabled when GSS-TSIG is configured and IPv4 or IPv6 DHCP service is enabled on this member. | Packets per second (default=300) Drop interval (default=10 sec) Rate algorithm (default = rate limiting) Events per second (default=1) | |
| 100200120 | Auto | EARLY PASS IPv6 TCP messages for Kerberos. | This rule passes TCP IPv6 Kerberos messages initiated by the appliance if the packet rate is less than the Packets per second value. If the packets sent are over this value, the appliance allows traffic up to the rate limit and then blocks traffic for the remainder of the Drop interval. | Enabled when GSS-TSIG is configured and IPv4 or IPv6 DHCP service is enabled on this member. | Packets per second (default=300) Drop interval (default=10 sec) Rate algorithm (default = rate limiting) Events per second (default=1) | |
| 100200210 | Auto | EARLY PASS KERBEROS IPv4 UDP response traffic. | This rule passes UDP IPv4 Kerberos response packets if the packet rate is less than the Packets per second value. If the Kerberos response packets are over this value, the appliance allows Kerberos traffic up to the rate limit and then blocks Kerberos traffic for the remainder of the Drop interval. | Enabled when GSS-TSIG is configured and IPv4 or IPv6 DHCP service is enabled on this member. | Packets per second (default=300) Drop interval (default=10 sec) Rate algorithm (default = rate limiting) Events per second (default=1) | |
| 100200220 | Auto | EARLY PASS KERBEROS IPv6 UDP response traffic. | This rule passes UDP IPv6 Kerberos response packets if the packet rate is less than the Packets per second value. If the Kerberos response packets are over this value, the appliance allows Kerberos traffic up to the rate limit and then blocks Kerberos traffic for the remainder of the Drop interval. | Enabled when GSS-TSIG is configured and IPv4 or IPv6 DHCP service is enabled on this member. | Packets per second (default=300) Drop interval (default=10 sec) Rate algorithm (default = rate limiting) Events per second (default=1) | |
| 100200300 | Auto | EARLY PASS Radius UDP response traffic. | This rule passes UDP Radius response packets if the packet rate is less than the Packets per second value. If the Radius response packets are over this value, the appliance allows Radius traffic up to the rate limit and then blocks Radius traffic for the remainder of the Drop interval. | Enabled when RADIUS Authenticated DHCP is configured and DHCP service is enabled on this member. | Packets per second (default=300) Drop interval (default=10 sec) Rate algorithm (default = rate limiting) Events per second (default=1) | |
| 130905000 | Auto | PASS IPv4 DHCP Client Request | This rule allows IPv4 DHCP packets when IPv4 DHCP is enabled. | Enabled when IPv4 DHCP service is enabled on this member. | N/A | There is currently no rate limiting support for this rule. |
| 130905100 | Auto | PASS IPv6 DHCP Client Request | This rule allows IPv6 DHCP packets when IPv6 DHCP is enabled. | Enabled when IPv6 DHCP service is enabled on this member. | N/A | There is currently no rate limiting support for this rule. |
| 130905200 | Auto | PASS IPv4 DHCP Fail-Over Association | This rule allows DHCP failover request packets when IPv4 DHCP failover is enabled. | Enabled when IPv4 DHCP failover is enabled on this member. | N/A | |
| 130905300 | Auto | PASS IPv4 DHCP Fail-Over Notification | This rule allows DHCP failover notification packets when IPv4 DHCP failover is enabled. | Enabled when IPv4 DHCP failover is enabled on this member. | N/A | |
| 130905400 | Auto | PASS DHCP UDP DDNS Response | This rule allows UDP Dynamic DNS Update Response packets when DHCP is enabled. | Enabled when DHCP service is enabled on this member. | N/A | |
| 130906000 | Auto | DROP IPv4 DHCP unexpected | This rule drops all IPv4 DHCP packets when IPv4 DHCP is disabled. | Enabled when IPv4 DHCP service is disabled on this member. | N/A | |
| 130906100 | Auto | DROP IPv6 DHCP unexpected | This rule drops all IPv6 DHCP packets when IPv6 DHCP is disabled. | Enabled when IPv6 DHCP service is disabled on this member. | N/A | |
| 130906200 | Auto | DROP IPv4 DHCP Fail-Over Association unexpected | This rule drops DHCP Fail-Over request packets when IPv4 DHCP Fail Over is disabled. | Enabled when IPv4 DHCP failover is enabled on this member. | N/A | |
| 130906300 | Auto | DROP IPv4 DHCP Fail-Over Notification | This rule drops DHCP failover notification packets when IPv4 DHCP failover is disabled. | Enabled when IPv4 DHCP failover is disabled on this member. | N/A |