ARP Miss Attack in S9300 when ARP service was running

Publication Date:  2013-01-14 Views:  3257 Downloads:  0
Issue Description
We deployed Huawei S9306 Switches in customer side and we are getting some problem on switch.
Following is the logs which we received on switch on particular ports.
Alarm Information
Jan 12 2013 13:48:05 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[9]:Interface GigabitEthernet2/0/2 has turned into UP state.
Jan 12 2013 13:48:02 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[10]:Interface GigabitEthernet2/0/2 has turned into DOWN state.
Jan 12 2013 13:40:22 DG-KP-Plant-Core-SW1 %%01HWCM/4/EXIT(l)[11]:Exit from configure mode.
Jan 12 2013 13:36:28 DG-KP-Plant-Core-SW1 %%01SECE/4/ARPMISS(l)[12]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet2/0/2, SourceIP=10.120.100.1, AttackPackets=7 packets per second)
Jan 12 2013 13:35:56 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[13]:Interface GigabitEthernet2/0/2 has turned into UP state.
Jan 12 2013 13:35:53 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[14]:Interface GigabitEthernet2/0/2 has turned into DOWN state.
Jan 12 2013 13:33:14 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[15]:Interface GigabitEthernet2/0/2 has turned into UP state.
Jan 12 2013 13:33:12 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[16]:Interface GigabitEthernet2/0/2 has turned into DOWN state.
Jan 12 2013 13:31:45 DG-KP-Plant-Core-SW1 %%01SECE/4/ARPMISS(l)[17]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet2/0/5, SourceIP=10.120.100.2, AttackPackets=6 packets per second)
Jan 12 2013 13:31:43 DG-KP-Plant-Core-SW1 %%01SECE/4/ARPMISS(l)[18]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet2/0/18, SourceIP=192.168.120.161, AttackPackets=6 packets per second)
Jan 12 2013 13:31:13 DG-KP-Plant-Core-SW1 %%01IFNET/4/IF_STATE(l)[19]:Interface GigabitEthernet2/0/2 has turned into UP state.
Handling Process
To defense against this attack, the S9300 switch provides this mechanism called Rate Limit on ARP Miss Messages or ARP Miss Suppression.
To enable ARP Miss Suppression you should follow the procedures.
Root Cause
An attack sends a lot of IP sweeping packets with invalid destination MAC addresses to the S9300 As a result, the S9300 generates a lot of ARP Miss packets and temporary ARP entries. These packets is sent to the CPU for processing. If excessive packets of such type are sent to the CPU, the CPU usage becomes high, affecting the forwarding of normal data services
Suggestions

• Procedures to solve this issue

<S9300>system-view
The system view is displayed.

[S9300]interface interface-type interface-number or vlan vlan-id
The interface view or VLAN view is displayed.

[S9300]arp-miss anti-attack rate-limit enable
Rate limit on ARP Miss messages is enabled.
By default, rate limit on ARP Miss messages is disabled.

[S9300]arp-miss anti-attack rate-limit packet-number [ interval-value ]
The maximum rate and rate limit duration of ARP Miss messages are set.
By default, the device can process a maximum of 100 ARP Miss messages in 1 second.

END