No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview

Overview

This section describes the definition and functions of ARP Security.

Definition

Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based network scanning attacks using a series of methods such as strict ARP learning, dynamic ARP inspection (DAI), ARP anti-spoofing, and rate limit on ARP packets.

Purpose

ARP is easy to use but has no security mechanisms. Attackers often use ARP to attack network devices. The following ARP attack modes are commonly used on networks:

  • ARP flood attack: ARP flood attacks, also called denial of service (DoS) attacks, occur in the following scenarios:

    • System resources are consumed when the device processes ARP packets and maintains ARP entries. To ensure that ARP entries can be queried efficiently, a maximum number of ARP entries is set on the device. Attackers send a large number of bogus ARP packets with variable source IP addresses to the device. In this case, APR entries on the device are exhausted and the device cannot generate ARP entries for ARP packets from authorized users. Consequently, communication is interrupted.

    • When attackers scan hosts on the local network segment or other network segments, the attackers send many IP packets with unresolvable destination IP addresses to attack the device. As a result, the device triggers many ARP Miss messages, generates a large number of temporary ARP entries, and broadcasts ARP Request packets to resolve the destination IP addresses, leading to Central Processing Unit (CPU) overload.

  • ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures.

ARP attacks cause the following problems:
  • Network connections are unstable and communication is interrupted, leading to economic loss.
  • Attackers initiate ARP spoofing attacks to intercept user packets to obtain accounts and passwords of systems such as the game, online bank, and file server, leading to losses.

To avoid the preceding problems, the device provides multiple techniques to defend against ARP attacks.

Table 12-22 and Table 12-23 describes various ARP security techniques for defending against different ARP attacks.

Table 12-22 ARP security techniques for defending against ARP flood attack

Attack Defense Function

Description

Deployment

Rate limit on ARP packets

This function limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when processing a large number of ARP packets.

You are advised to enable this function on the gateway.

Rate limit on ARP Miss messages

This function limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses.

You are advised to enable this function on the gateway.

Gratuitous ARP packet discarding

This function allows the device to discard gratuitous ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of gratuitous ARP packets.

You are advised to enable this function on the gateway.

Strict ARP learning

This function allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. This prevents ARP entries from being exhausted for invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limiting

This function enables a device interface to dynamically learn a maximum number of ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Disabling ARP learning on interfaces

If a user connected to an interface initiates an ARP attack, the ARP resources of the entire device will be exhausted. To protect device security, disable ARP learning on the interface.

You are advised to enable this function on the gateway.

Table 12-23 ARP security techniques for defending against ARP spoofing attack

Attack Defense Function

Description

Deployment

ARP entry fixing

After the device with this function enabled learns an ARP entry for the first time, it does not change the ARP entry, only updates part of the entry, or sends a ARP Request packet to check validity of the ARP packet for updating the entry. This function prevents attackers from modifying the ARP entries of authorized users by using forged ARP packets.

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

DAI

Dynamic ARP inspection (DAI) allows the device to compare the source IP address, source Media Access Control (MAC) address, interface number, and Virtual Local Area Network (VLAN) ID of an ARP packet with a binding entry. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet.

This function is available only for Dynamic Host Configuration Protocol Snooping (DHCP snooping) scenarios.

You are advised to enable this function on an access device.

Gratuitous ARP packet discarding

This function allows the device to discard gratuitous ARP packets so that the device can defend against attacks from a large number of bogus gratuitous ARP packets, leading to communication interruptions.

You are advised to enable this function on the gateway.

MAC address consistency check in an ARP packet

This function defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

Strict ARP learning

This function allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

Benefits

  • Reduces maintenance costs for network operating and security.
  • Provides users with stable services on a secure network.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58688

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next