ARP Miss Attack
Network Scanning Attack
Attack Overview
If a network device is flooded with IP packets that contain unresolvable destination IP addresses, the device generates a large number of ARP Miss packets. This is because the device has no ARP entry that matches the next hop of the route. IP packets triggering ARP Miss packets are sent to the device for processing.
Network segment scanning triggers generation of a large number of ARP Miss packets. As a result, the system is busy processing ARP Miss packets and cannot process other services, suffering a scanning attack.
Symptom
When a switch suffers an ARP Miss attack, the CPU usage of the switch is high and a large number of temporary ARP entries are generated on the switch. ARP Miss packets are discarded by CPCAR, there is a delay in response to the ping operation, or the ping fails. Some user devices are disconnected, user's network access speed is slow, or the switch is out of management.
Troubleshooting Roadmap
Fault Location Method |
Command |
Models and Versions |
---|---|---|
View statistics on packets sent to the CPU. |
display cpu-defend statistics packet-type arp-miss { all | slot slot-id } |
V100R006C05 and later versions |
View temporary ARP entries. |
display arp |
V100R006C05 and later versions |
- Clear statistics on the ARP Miss packets sent to the CPU.
<HUAWEI> reset cpu-defend statistics packet-type arp-miss all
- Wait for one minute and view statistics on the ARP Miss packets sent to the CPU again.
<HUAWEI> display cpu-defend statistics packet-type arp-miss slot 2 Statistics on slot 2: ------------------------------------------------------------------------------------------------------------------ Packet Type Pass(Packet/Byte) Drop(Packet/Byte) Last-dropping-time ------------------------------------------------------------------------------------------------------------------ arp-miss 40800 357680 2017-03-15 12:23:10 ------------------------------------------------------------------------------------------------------------------
View the number of passing and discarded packets. If the number of discarded packets is greater than the number of passing packets, an ARP Miss attack may occur.
- Check whether a large number of temporary ARP entries are generated on the switch. If the value of MAC ADDRESS is Incomplete in 15 or more temporary entries, an ARP Miss attack occurs.
<HUAWEI> display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN ------------------------------------------------------------------------------ 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 10.1.1.2 00e0-0987-7899 I - GE6/1/1 10.1.20.1 00e0-0987-789a I - GE6/1/2 10.1.10.6 00e0-0987-789b I - GE6/1/3 10.1.11.6 00e0-0987-789c I - GE6/1/4 192.168.11.1 00e0-0987-789c I - Vlanif11 192.168.11.254 Incomplete 12 D-0 Eth-Trunk1 11/- 192.168.11.253 Incomplete 16 D-0 Eth-Trunk1 11/- ------------------------------------------------------------------------------ Total:9 Dynamic:3 Static:0 Interface:6
Root Cause
A switch receives a large number of ARP Miss packets commonly for the following reasons:
- A network scanning attack occurs. You can obtain packets or run the display arp anti-attack arpmiss-record-info command to view the attack source.
- The switch receives TC packets and then ages out ARP entries, causing a large number of ARP Miss messages. For details about the measures for defending against an ARP Miss attack caused by TC messages, see TC Attack.
Procedure
Method |
Advantage |
Disadvantage |
---|---|---|
Decrease the CPCAR value for ARP Miss packets. |
The number of packets sent to the CPU is decreased quickly. |
Normal ARP Miss packets may be discarded. |
Set the aging time of fake ARP entries. |
Packets sent to a specified destination address are suppressed, and no ARP Miss packet is triggered during the aging time. |
A proper aging time must be set. |
Configure ARP Miss suppression. |
Packets sent from a specified source address are suppressed, and no ARP Miss packet is sent to the CPU during the block time. |
A whitelist needs to be configured to prevent the network-side device from being punished. |
Configure a blacklist to discard packets sent from a specified attack source. |
The blacklist can be applied on the switch or a specified card to drop attack packets. |
The blacklisted source cannot access the switch after the attack is eliminated. |
- Decrease the CPCAR value for ARP Miss packets to resolve the high CPU usage problem.
<HUAWEI> system-view [HUAWEI] cpu-defend policy policy1 [HUAWEI-cpu-defend-policy-policy1] car packet-type arp-miss cir 64 [HUAWEI-cpu-defend-policy-policy1] quit [HUAWEI] cpu-defend-policy policy1 global
This method cannot resolve the problem that users' network access speed is slow.
- Increase the aging time of fake ARP entries to resolve the high CPU usage problem. When an IP packet triggers the generation of an ARP Miss packet, the switch sends an ARP Request packet and generates a temporary ARP entry. The switch then directly discards the data packets destined for this IP address to protect the CPU. When the switch receives an ARP Reply packet, it modifies the temporary ARP entry. If the switch does not receive an ARP Reply packet within the specified period, it deletes the temporary entry. The later packets from this IP address can still trigger the generation of ARP Miss packets.
<HUAWEI> system-view [HUAWEI] interface Vlanif 500 [HUAWEI-Vlanif500] arp-fake expire-time 30
A long fake entry aging time will cause a delay in ARP entry learning and loss of data packets.
- Configure source IP address-based ARP Miss rate limiting. The switch will automatically identify the source IP address from which the packet rate exceeds the limit and deliver an ACL. By default, the ARP Miss suppression limit for all source IP addresses is 30 pps, and the punishment time is 5 seconds. It is recommended that packets from the network-side device be allowed to pass, preventing it from being punished.
<HUAWEI> system-view [HUAWEI] arp-miss speed-limit source-ip maximum 10 //The ARP Miss rate limit for each source IP address is set to 10 pps. The default limit is 30 pps. [HUAWEI] arp-miss speed-limit source-ip 1.1.1.1 maximum 200 //Allow packets from the network-side device to pass, preventing it from being punished.
Run the display arp anti-attack arpmiss-record-info command to view the attack source.
[HUAWEI] display arp anti-attack arpmiss-record-info Interface IP address Attack time Block time Aging-time ---------------------------------------------------------------------------------------------------------------- GigabitEthernet5/0/0 10.0.0.1 2009-09-16 10:18:18 2009-09-16 10:19:12 50 ---------------------------------------------------------------------------------------------------------------- There are 1 records in Arp-miss table
The switch will automatically deliver an ACL to match the ARP Miss packets from the specified source IP address. If these packets do not need to be sent to the control plane, run the cpu-defend policy command with a blacklist configured to block the attack source.