https://live.paloaltonetworks.com/t5/next-generation-firewall/mitigation-for-dhcp-starvation-attack-in-shared-network-zone-e-g/m-p/561009#M1937 <P>Hi everyone,&nbsp;</P> <P>Is there anyway for us to utilize Palo NGFW to prevent or mitigate DHCP starvation attack.&nbsp;</P> <P>For example, a user's BYOD device is infected with malware, after authenticated with eduroam network, the device start performing DHCP starvation attack without the user even realize.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have tried looking online for solutions, there's recommendation such as DHCP snooping, port security in layer 2 but not sure if it is effective for shared network/wifi zone.&nbsp;</P> <P>&nbsp;</P> <P>Thank you in advance your help!</P> Tue, 10 Oct 2023 03:26:13 GMT LuckyLau 2023-10-10T03:26:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/mitigation-for-dhcp-starvation-attack-in-shared-network-zone-e-g/m-p/561009#M1937 <P>Hi everyone,&nbsp;</P> <P>Is there anyway for us to utilize Palo NGFW to prevent or mitigate DHCP starvation attack.&nbsp;</P> <P>For example, a user's BYOD device is infected with malware, after authenticated with eduroam network, the device start performing DHCP starvation attack without the user even realize.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have tried looking online for solutions, there's recommendation such as DHCP snooping, port security in layer 2 but not sure if it is effective for shared network/wifi zone.&nbsp;</P> <P>&nbsp;</P> <P>Thank you in advance your help!</P> Tue, 10 Oct 2023 03:26:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/mitigation-for-dhcp-starvation-attack-in-shared-network-zone-e-g/m-p/561009#M1937 LuckyLau 2023-10-10T03:26:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/mitigation-for-dhcp-starvation-attack-in-shared-network-zone-e-g/m-p/561069#M1940 <P>Hello LuckyLau,</P> <P>&nbsp;</P> <P>You can set some rate limiting toward the DHCP server with DoS profile.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/classified-versus-aggregate-dos-protection" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/classified-versus-aggregate-dos-protection</A></P> <P>&nbsp;</P> <P>But not sure it is as efficient as other L2 mechanism (I'm a fan of blocking as soon as possible an unwanted traffic)</P> <P>&nbsp;</P> <P>Olivier</P> Tue, 10 Oct 2023 08:27:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/mitigation-for-dhcp-starvation-attack-in-shared-network-zone-e-g/m-p/561069#M1940 ozheng 2023-10-10T08:27:40Z