ARP Miss Attack

Huawei S Series Campus Switches Troubleshooting Guide

About This Document
Security Declaration
Routine Maintenance
- Checking Device Running Environment
- Checking Basic Device Information
- Checking Device Running Status
- Checking Interface Information
- Checking Services
Using the Troubleshooting Insights for Fault Diagnosis and Rectification
Troubleshooting: Common Fault Diagnostic Commands and Methods
- Troubleshooting: Information Collection
- reset Commands
- Ping and Tracert
- Device Restart and Software Upgrade
Troubleshooting: Layer 2 Loop
- Overview
- How to Detect a Loop
  - General Method
  - Fault Locating Procedure
- How to Quickly Remove a Loop
- How to Find Out the Root Cause
- Hardening and Optimizing the Network
- Troubleshooting Cases for Layer 2 Loops
  - Incorrect Configuration
  - Improper Configuration
- FAQs About Layer 2 Loops
Troubleshooting: Ethernet Interface Physically Down
- Interface Physically Down Overview
- Interface Physically Down Causes and Recovery
- Fault Cases
- FAQs About the Error That an Interface Is Physically Down
Troubleshooting: Packet Loss on the Network
- Packet Loss Problem Locating and Handling Procedures
- Packet Loss Prevention Measures
- Cases of Packet Loss on the Network
- Appendix
  - Configuring Traffic Statistics Collection
Troubleshooting: IP Address Obtaining Failure
- Common DHCP Issues
  - Troubleshooting
  - FAQ
- DHCP Server
- DHCP Relay
- DHCP Snooping
- DHCP Client
- Appendix
  - Implementation of DHCP
  - A Client Fails to Obtain an IP Address
Troubleshooting: Device Reboot or Card Reset
- General Fault Analysis Flowchart
- Unexpected Reboot of a Fixed Switch
- Card Resets on a Modular Switch
Troubleshooting: Administrators' AAA Authentication Issues
- Checking Whether Pre-Configuration Tasks Are Complete
- Checking the AAA Authentication Method and Servers Used for Administrators
- FAQs About AAA Authentication
- Typical Configuration
- Collecting Information
Troubleshooting: Access Authentication Issues
- Troubleshooting Roadmap
- 802.1X Authentication Fails
  - Possible Causes
  - Collecting Information
- 802.1X Authentication Users Are Disconnected Unexpectedly
  - Possible Causes
  - Collecting Information
- MAC Address Authentication Fails
  - Possible Causes
  - Collecting Information
- MAC Address Authentication Users Are Disconnected Unexpectedly
  - Possible Causes
  - Collecting Information
- Portal Authentication Page Fails to Be Displayed
- Portal Authentication Failures
- After Portal Authentication Is Successful, the Authentication Page Is Still Displayed When Users Access the Network (Unexpected Disconnection of Portal Authentication Users)
  - Possible Causes
  - Collecting Information
- Static User Authentication Failures
  - Possible Causes
- Unexpected Logouts of Static Users
  - Possible Causes
- User Authorization Through RADIUS Attributes Is Abnormal
  - Possible Causes
  - Collecting Information
- HACA Authentication Troubleshooting in Cloud-based Management Scenarios
- IP Phone Authentication Troubleshooting
- Collecting Information
- RADIUS/Portal Authentication Escape Does Not Take Effect
- Precautions for Interconnection with a Third-Party RADIUS Server
- FAQs
- Common Causes for Access Authentication Failures
Troubleshooting: Wireless Access Authentication Issues
- Troubleshooting: 802.1X Authentication Failures
- Troubleshooting: HTTP-based External Portal Authentication Failures
- Troubleshooting: Failures in External Portal Authentication Using the Portal Protocol
- Troubleshooting: Portal Redirection Failures
- Troubleshooting: Built-in Portal LDAP or AD Authentication Failures
- Troubleshooting: Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- WLAN Authentication FAQs
Troubleshooting: Ping Failure
- Troubleshooting Roadmap
- Fault Locating Methods
- Ping Failure Troubleshooting
- FAQ About Ping Failures
  - Why Can a Switch Ping a Server but the Server Cannot Ping the Switch After They Are Connected?
  - Why Does the Service Gateway Fail to Be Pinged When a WLAN STA Roams in S12700+ACU2 Networking Whereas the Fixed-Location Network Access Is Normal in the Airport Scenario?
- Ping Overview
Troubleshooting: Attack Defense
- Determining the Attack Type
- Defense Measures for Different Types of Attacks
- Hardening Attack Defense Configurations
  - Modular Switches
  - Fixed Switches
- Appendix: Attack Defense Policy Application
Troubleshooting: High CPU Usage
- Knowledge About High CPU Usage
- CPU and CPU Usage Working Mechanism
- How to Locate the High CPU Usage Problem
- How to Fix the High CPU Usage Problem
- How to Relieve CPU Load
- Troubleshooting Cases for High CPU Usage
- FAQ About High CPU Usage
  - Why Is the CPU Usage Still High When the Switch Does Not Receive Any Service Requests and All Interfaces Are Down?
  - What Can I Do If the S2700 Responds Slowly Due to High CPU Usage?
- Appendix
Troubleshooting: PD Power-on Failures
- Introduction to PoE
- Principles
- How to Rectify a PoE Fault
- Troubleshooting Cases for PD Power Failures
- FAQ About PD Power Failures
- Appendix
Troubleshooting: Miscellaneous Issues
- License
  - A License File Fails to Be Activated Due to Format Corruption
  - License Fails to Be Activated
- S Series Switch Connected to Others
- Device Management
- Ethernet
- IP Services
- Security
  - ARP Entries Cannot Be Learned
  - Service Forwarding Fails Due to ARP Entry Fixing on a Switch After a Firewall Upgrade
- QoS
- IP Routing
- IP Multicast
- Network Management and Monitoring
- User Access and Authentication
- Reliability
  - VRRP Troubleshooting
  - Smart Link and Monitor Link Troubleshooting
- WLAN
  - Services Go Down When a Client Is Roaming
- VXLAN
FAQs
- Hardware
- License
- Password
- Basic Configuration
- Device Management
- Interface Management
- Ethernet
- IP Services
- Security
- Qos
- IP Routing
- IP Multicast
- MPLS&VPN
- Web System
- Network Management and Monitoring
- User Access and Authentication
- Reliability
- WLAN
Contacting Huawei for Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

ARP Miss Attack

Network Scanning Attack

Network Scanning Attack

Attack Overview

If a network device is flooded with IP packets that contain unresolvable destination IP addresses, the device generates a large number of ARP Miss packets. This is because the device has no ARP entry that matches the next hop of the route. IP packets triggering ARP Miss packets are sent to the device for processing.

Network segment scanning triggers generation of a large number of ARP Miss packets. As a result, the system is busy processing ARP Miss packets and cannot process other services, suffering a scanning attack.

Symptom

When a switch suffers an ARP Miss attack, the CPU usage of the switch is high and a large number of temporary ARP entries are generated on the switch. ARP Miss packets are discarded by CPCAR, there is a delay in response to the ping operation, or the ping fails. Some user devices are disconnected, user's network access speed is slow, or the switch is out of management.

Troubleshooting Roadmap

Fault Location Method	Command	Models and Versions
View statistics on packets sent to the CPU.	display cpu-defend statistics packet-type arp-miss { all \| slot slot-id }	V100R006C05 and later versions
View temporary ARP entries.	display arp	V100R006C05 and later versions

Clear statistics on the ARP Miss packets sent to the CPU.

<HUAWEI> reset cpu-defend statistics packet-type arp-miss all

Wait for one minute and view statistics on the ARP Miss packets sent to the CPU again.

<HUAWEI> display cpu-defend statistics packet-type arp-miss slot 2
 Statistics on slot 2:
------------------------------------------------------------------------------------------------------------------
Packet Type          Pass(Packet/Byte)   Drop(Packet/Byte)  Last-dropping-time
------------------------------------------------------------------------------------------------------------------
arp-miss                         40800             357680   2017-03-15 12:23:10     
------------------------------------------------------------------------------------------------------------------

View the number of passing and discarded packets. If the number of discarded packets is greater than the number of passing packets, an ARP Miss attack may occur.

Check whether a large number of temporary ARP entries are generated on the switch. If the value of MAC ADDRESS is Incomplete in 15 or more temporary entries, an ARP Miss attack occurs.

<HUAWEI> display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
                                          VLAN/CEVLAN                      
------------------------------------------------------------------------------
10.137.217.202  00e0-0987-7890            I -         Eth0/0/0
10.137.216.1    0000-5e00-0149  20        D-0         Eth0/0/0
10.1.1.2        00e0-0987-7899            I -         GE6/1/1
10.1.20.1       00e0-0987-789a            I -         GE6/1/2
10.1.10.6       00e0-0987-789b            I -         GE6/1/3
10.1.11.6       00e0-0987-789c            I -         GE6/1/4
192.168.11.1    00e0-0987-789c            I -         Vlanif11
192.168.11.254  Incomplete      12        D-0         Eth-Trunk1
                                            11/-
192.168.11.253  Incomplete      16        D-0         Eth-Trunk1
                                            11/-
------------------------------------------------------------------------------
Total:9         Dynamic:3       Static:0     Interface:6

Root Cause

A switch receives a large number of ARP Miss packets commonly for the following reasons:

A network scanning attack occurs. You can obtain packets or run the display arp anti-attack arpmiss-record-info command to view the attack source.
The switch receives TC packets and then ages out ARP entries, causing a large number of ARP Miss messages. For details about the measures for defending against an ARP Miss attack caused by TC messages, see TC Attack.

Procedure

Method	Advantage	Disadvantage
Decrease the CPCAR value for ARP Miss packets.	The number of packets sent to the CPU is decreased quickly.	Normal ARP Miss packets may be discarded.
Set the aging time of fake ARP entries.	Packets sent to a specified destination address are suppressed, and no ARP Miss packet is triggered during the aging time.	A proper aging time must be set.
Configure ARP Miss suppression.	Packets sent from a specified source address are suppressed, and no ARP Miss packet is sent to the CPU during the block time.	A whitelist needs to be configured to prevent the network-side device from being punished.
Configure a blacklist to discard packets sent from a specified attack source.	The blacklist can be applied on the switch or a specified card to drop attack packets.	The blacklisted source cannot access the switch after the attack is eliminated.

Decrease the CPCAR value for ARP Miss packets to resolve the high CPU usage problem.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy policy1
[HUAWEI-cpu-defend-policy-policy1] car packet-type arp-miss cir 64
[HUAWEI-cpu-defend-policy-policy1] quit 
[HUAWEI] cpu-defend-policy policy1 global

This method cannot resolve the problem that users' network access speed is slow.

Increase the aging time of fake ARP entries to resolve the high CPU usage problem. When an IP packet triggers the generation of an ARP Miss packet, the switch sends an ARP Request packet and generates a temporary ARP entry. The switch then directly discards the data packets destined for this IP address to protect the CPU. When the switch receives an ARP Reply packet, it modifies the temporary ARP entry. If the switch does not receive an ARP Reply packet within the specified period, it deletes the temporary entry. The later packets from this IP address can still trigger the generation of ARP Miss packets.
```
<HUAWEI> system-view
[HUAWEI] interface Vlanif 500  
[HUAWEI-Vlanif500] arp-fake expire-time 30  
```
A long fake entry aging time will cause a delay in ARP entry learning and loss of data packets.

Configure source IP address-based ARP Miss rate limiting. The switch will automatically identify the source IP address from which the packet rate exceeds the limit and deliver an ACL. By default, the ARP Miss suppression limit for all source IP addresses is 30 pps, and the punishment time is 5 seconds. It is recommended that packets from the network-side device be allowed to pass, preventing it from being punished.

<HUAWEI> system-view
[HUAWEI] arp-miss speed-limit source-ip maximum 10  //The ARP Miss rate limit for each source IP address is set to 10 pps. The default limit is 30 pps.
[HUAWEI] arp-miss speed-limit source-ip 1.1.1.1 maximum 200 //Allow packets from the network-side device to pass, preventing it from being punished.

Run the display arp anti-attack arpmiss-record-info command to view the attack source.

[HUAWEI] display arp anti-attack arpmiss-record-info
 Interface              IP address   Attack time         Block time    Aging-time 
----------------------------------------------------------------------------------------------------------------
 GigabitEthernet5/0/0    10.0.0.1   2009-09-16 10:18:18  2009-09-16 10:19:12  50
----------------------------------------------------------------------------------------------------------------
There are 1 records in Arp-miss table

The switch will automatically deliver an ACL to match the ARP Miss packets from the specified source IP address. If these packets do not need to be sent to the control plane, run the cpu-defend policy command with a blacklist configured to block the attack source.

Network Scanning Attack

Translation

简体中文

Download

Updated: 2022-02-09

Document ID: EDOC1000091883

Downloads: 9369

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode