No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of ARP Security.

Rate Limit on ARP Packets

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

The device provides the following mechanisms for limiting the rate of ARP packets:

  • Limiting the rate of ARP packets based on the source MAC address or source IP address

    When detecting that a host sends a large number of ARP packets in a short period, the device limits the rate of ARP packets sent from this host based on the source MAC address or source IP address. If the number of ARP packets received within 1 second exceeds the threshold, the device discards the excess ARP packets.
    • Limiting the rate of ARP packets based on the source MAC address: If a MAC address is specified, the device applies the rate limit to ARP packets from this source MAC address; otherwise, the device applies the rate limit to all ARP packets.

    • Limiting the rate of ARP packets based on the source IP address: If an IP address is specified, the device applies the rate limit to ARP packets from this source IP address; otherwise, the device applies the rate limit to all ARP packets.

  • Limiting the rate of ARP packets based on the destination IP Address

    When processing a large number of ARP packets with the same destination IP address, the device limits the rate of ARP packets based on the destination IP Address. The device collects statistics on ARP packets with a specified destination IP address. If the number of received ARP packets with the specified destination IP address in 1 second exceeds the threshold, the device discards the excess ARP packets.

  • Limiting the rate on ARP packets globally, in a VLAN, or on an interface

    The maximum rate of ARP packets can be set in the system view, VLAN view, and interface view. If the maximum rate is configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.

    • Limiting the rate of ARP packets globally: limits the number of ARP packets to be processed by the system. When an ARP attack occurs, the device limits the rate of ARP packets globally.

    • Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect ARP entry learning on interfaces in other VLANs.

    • Limiting the rate of ARP packets on an interface: limits the number of ARP packets to be processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

Rate Limit on ARP Miss Messages

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the switch modules for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, the device provides multiple techniques to limit the rate on ARP Miss messages.

  • Limiting the rate of ARP Miss messages based on the source IP address

    If the number of ARP Miss messages triggered by IP packets from a source IP address in 1 second exceeds the limit, the device considers that an attack is initiated from the source IP address.

    If a source IP address is specified, the rate of ARP Miss messages triggered by IP packets from the source IP address is limited. If no source IP address is specified, the rate of ARP Miss messages triggered by IP packets from each source IP address is limited.

  • Limiting the rate of ARP Miss messages globally or in a VLAN

    The maximum number of ARP Miss massages can be set globally or in a VLAN. The configurations in a VLAN and globally takes effect in descending order of priority.

    • Limiting the rate of ARP Miss messages globally: limits the number of ARP Miss messages processed by the system.

    • Limiting the rate of ARP Miss messages in a VLAN: limits the number of ARP Miss messages to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect IP packet forwarding on interfaces in other VLANs.

  • Limiting the rate of ARP Miss messages by setting the aging time of temporary ARP entries

    When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
    • In the aging time of temporary ARP entries:
      • An IP packet that is received before the ARP Reply packet and matches a temporary ARP entry is discarded and triggers no ARP Miss message.
      • After receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
    • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages are triggered again and temporary ARP entries are regenerated. This process continues.

    When ARP Miss attacks occur on the device, you can extend the aging time of temporary ARP entries and reduce the frequency of triggering ARP Miss messages to minimize the impact on the device.

Gratuitous ARP Packet Discarding

In a gratuitous ARP packet, the source IP address and destination IP address are both the local IP address, the source MAC address is the local MAC address, and the destination MAC address is a broadcast address. When a host connects to a network, the host broadcasts a gratuitous ARP packet to notify other devices on the network of its MAC address and to check whether any device uses the same IP address as its own IP address in the broadcast domain. When the MAC address of a host changes, the host sends a gratuitous ARP packet to notify all hosts before the ARP entry ages out.

No authentication is performed on a host that sends gratuitous ARP packets, so any host can send gratuitous ARP packets, causing the following problems:
  • If a large number of gratuitous ARP packets are broadcast on the network, the device cannot process valid ARP packets due to CPU overload.
  • If the device processes bogus gratuitous ARP packets, ARP entries are updated incorrectly, leading to communication interruptions.

To solve the preceding problems, enable the gratuitous ARP packet discarding function on the gateway.

If the gratuitous ARP packet discarding function is enabled on the gateway, other hosts on the network cannot update their ARP entries when a host uses a new MAC address to connect to the network. Consequently, other hosts cannot communicate with this host. When a host changes the interface card and restarts, or the standby node takes over the active node due to faults in a two-node cluster hot backup system, a host connects to the network with a new MAC address.

Strict ARP Learning

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:

  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.

  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, deploy the strict ARP learning function on the gateway.

After strict ARP learning function is enabled, the device learns only ARP entries for ARP reply packets in response to ARP request packets sent by itself. In this way, the device can defend against most ARP attacks.

Figure 12-39 Strict ARP learning

As shown in Figure 12-39, after receiving an ARP Request packet from UserA, the gateway sends an ARP Reply packet to UserA and adds or updates an ARP entry matching UserA. After the strict ARP learning function is enabled on the gateway:
  • When receiving an ARP Request packet from UserA, the gateway adds or updates no ARP entry matching UserA. If the ARP Request packet requests the MAC address of the gateway, the gateway sends an ARP Reply packet to UserA.

  • If the gateway sends an ARP Request packet to UserB, the gateway adds or updates an ARP entry matching UserB after receiving the ARP Reply packet.

ARP Entry Limiting

The ARP entry limiting function controls the number of ARP entries that a gateway interface can learn. By default, the number of ARP entries that an interface can dynamically learn is the same as the default number of ARP entries supported by the device. After the ARP entry limiting function is deployed, if the number of ARP entries that a specified interface dynamically learned reaches the maximum, the interface cannot learn any ARP entry. This prevents ARP entries from being exhausted when a host connecting to this interface initiates ARP attacks.

Disabling ARP Learning on Interfaces

If a user connected to an interface initiates an ARP attack, the ARP resources of the entire device will be exhausted. Therefore, when a large number of dynamic ARP entries have been learned by an interface, disable the interface from learning more ARP entries to ensure device security.

To precisely control ARP learning on interfaces, you can disable ARP learning and configure strict ARP learning on the interfaces.

ARP Entry Fixing

As shown in Figure 12-40, an attacker simulates UserA to send a bogus ARP packet to the gateway. The gateway then records an incorrect ARP entry for UserA. As a result, UserA cannot communicate with the gateway.

Figure 12-40 ARP gateway spoofing attack

To defend against ARP gateway spoofing attacks, deploy the ARP entry fixing function on the gateway. After the gateway with this function enabled learns an ARP entry for the first time, it does not change the ARP entry, only updates part of the entry, or sends a unicast ARP Request packet to check validity of the ARP packet for updating the entry.

The device supports three ARP entry fixing modes, as described in Table 12-24.

Table 12-24 ARP entry fixing modes

Mode

Description

fixed-all

When receiving an ARP packet, the device discards the packet if the MAC address, interface number, or VLAN ID matches no ARP entry. This mode applies to networks where user MAC addresses and user access locations are fixed.

fixed-mac

When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses are unchanged but user access locations often change.

send-ack

When the device receives ARP packet A with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.
  • If the device receives ARP Reply packet B within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP entry are the same as those in ARP Reply packet B, the device considers ARP packet A as an attack packet and does not update the ARP entry.

  • If the device receives no ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of the ARP entry are different from those in ARP Reply packet B, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address again.
    • If the device receives ARP Reply packet C within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP packet A are the same as those in ARP Reply packet C, the device considers ARP packet A as a valid packet and update the ARP entry based on ARP packet A.
    • If the device receives no ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of ARP packet A are different from those in ARP Reply packet C, the device considers ARP packet A as an attack packet and does not update the ARP entry.

This mode applies to networks where user MAC addresses and user access locations often change.

DAI

A man-in-the-middle (MITM) attack is a common ARP spoofing attack.

Figure 12-41 shows an MITM attack scenario. An attacker simulates UserB to send a bogus ARP packet to UserA. UserA then records an incorrect ARP entry for UserB. The attacker easily obtains information exchanged between UserA and UserB. Information security between UserA and UserB is not protected.

Figure 12-41 Man-in-the-middle attack

To defend against MITM attacks, deploy Dynamic ARP Inspection ( DAI ) on the Switch Module.

DAI defends against MITM attacks using DHCP snooping. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

NOTE:

This function is available only when DHCP snooping is configured. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user. For details about DHCP snooping, see description in Basic Principles.

When an attacker connects to the Switch Module enabled with DAI and sends bogus ARP packets, the Switch Module detects the attacks based on the binding entries and discards the bogus ARP packets.

MAC Address Consistency Check in an ARP Packet

The MAC address consistency check function for ARP packets defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

This function enables the gateway to check the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57403

Downloads: 3619

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next