Intermittent User Disconnection When the Switch Functions as a Gateway

Publication Date:  2015-03-24 Views:  147 Downloads:  0
Issue Description
Applicable Products and Versions:All products and versions.

Intermittent User Disconnection When the Switch Functions as a Gateway.
Alarm Information
When the switch functions as a gateway, users are frequently disconnected from and reconnected to the LAN, and the switch generates a large number of address conflict alarms.

ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING])
Handling Process
1.  Remove virus from the PC.

2.  Configure the ARP gateway anti-collision function on the switch.

The switch then generates ARP anti-attack entries and discards the ARP packets with the same source MAC address from the same VLAN in a certain period. This can prevent ARP packets with the bogus gateway address from being broadcast on a VLAN.

<HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable
Root Cause
To determine the cause, perform the following operations:

1.  Run the display logbuffer command in any view, and obtain the attacker's MAC address from the displayed logs.
<HUAWEI> display logbuffer
……
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING]).
……

2.  Search for the attacker's MAC address in the MAC address table to find out the interface connected to the attack source.

3.  Locate the attack source, and you can find that the fault occurs because a PC that is infected with virus acts as the gateway to request IP addresses from the devices on the network segment.
Suggestions
The attacker sets the gateway address to the static IP address of the infected PC. The PC then broadcasts gratuitous ARP packets on the LAN. When the other PCs on the LAN receive these packets, they change the gateway MAC address to the attacker's MAC address in their local gateway ARP entries. As a result, no users on the LAN can access the network normally.

The attacker frequently sends gratuitous ARP packets with the source IP address as the bogus gateway address. Even if the gateway can request uninfected hosts to recover the gateway MAC address when it receives the ARP packets, frequent changes of the gateway MAC address on the hosts will also result in network disconnections.

END