Mitigation for DHCP Starvation attack in shared network zone (e.g.Eduroam)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mitigation for DHCP Starvation attack in shared network zone (e.g.Eduroam)

L1 Bithead

Hi everyone, 

Is there anyway for us to utilize Palo NGFW to prevent or mitigate DHCP starvation attack. 

For example, a user's BYOD device is infected with malware, after authenticated with eduroam network, the device start performing DHCP starvation attack without the user even realize.  

 

I have tried looking online for solutions, there's recommendation such as DHCP snooping, port security in layer 2 but not sure if it is effective for shared network/wifi zone. 

 

Thank you in advance your help!

1 REPLY 1

L4 Transporter

Hello LuckyLau,

 

You can set some rate limiting toward the DHCP server with DoS profile.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-de...

 

But not sure it is as efficient as other L2 mechanism (I'm a fan of blocking as soon as possible an unwanted traffic)

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 1027 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!