No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of ARP Security.

Rate Limit on ARP Packets

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

The device provides the following mechanisms for limiting the rate of ARP packets:

  • Limiting the rate of ARP packets based on the source MAC address or source IP address

    When detecting that a host sends a large number of ARP packets in a short period, the device limits the rate of ARP packets sent from this host based on the source MAC address or source IP address. If the number of ARP packets received within 1 second exceeds the threshold, the device discards the excess ARP packets.
    • Limiting the rate of ARP packets based on the source MAC address: If a MAC address is specified, the device applies the rate limit to ARP packets from this source MAC address; otherwise, the device applies the rate limit to all ARP packets.

    • Limiting the rate of ARP packets based on the source IP address: If an IP address is specified, the device applies the rate limit to ARP packets from this source IP address; otherwise, the device applies the rate limit to all ARP packets.

  • Limiting the rate on ARP packets globally or on an interface

    The maximum rate and rate limit duration of ARP packets can be set globally or on an interface. The configurations on an interface and globally takes effect in descending order of priority.

    • Limiting the rate of ARP packets globally: limits the number of ARP packets to be processed by the system. When an ARP attack occurs, the device limits the rate of ARP packets globally.

    • Limiting the rate of ARP packets on an interface: limits the number of ARP packets to be processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

Rate Limit on ARP Miss Messages

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the master control board for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, the device provides multiple techniques to limit the rate on ARP Miss messages.

  • Limiting the rate of ARP Miss messages based on the source IP address

    If the number of ARP Miss messages triggered by IP packets from a source IP address in 1 second exceeds the limit, the device considers that an attack is initiated from the source IP address.

    If a source IP address is specified, the rate of ARP Miss messages triggered by IP packets from the source IP address is limited. If no source IP address is specified, the rate of ARP Miss messages triggered by IP packets from each source IP address is limited.

  • Limiting the rate of ARP Miss messages globally

    The device can limit the number of ARP Miss messages processed by the system.

  • Limiting the rate of ARP Miss messages by setting the aging time of temporary ARP entries

    When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
    • In the aging time of temporary ARP entries:
      • An IP packet that is received before the ARP Reply packet and matches a temporary ARP entry is discarded and triggers no ARP Miss message.
      • After receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
    • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages are triggered again and temporary ARP entries are regenerated. This process continues.

    When ARP Miss attacks occur on the device, you can extend the aging time of temporary ARP entries and reduce the frequency of triggering ARP Miss messages to minimize the impact on the device.

Strict ARP Learning

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:

  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.

  • Bogus ARP packets modify ARP entries on the device. As a result, the device cannot communicate with other devices.

To avoid the preceding problems, deploy the strict ARP learning function on the gateway.

After strict ARP learning function is enabled, the device learns only ARP entries for ARP reply packets in response to ARP request packets sent by itself. In this way, the device can defend against most ARP attacks.

Figure 26-9  Strict ARP learning

As shown in Figure 26-9, after receiving an ARP Request packet from UserA, the gateway sends an ARP Reply packet to UserA and adds or updates an ARP entry matching UserA. After the strict ARP learning function is enabled on the gateway:
  • When receiving an ARP Request packet from UserA, the gateway adds or updates no ARP entry matching UserA. If the ARP Request packet requests the MAC address of the gateway, the gateway sends an ARP Reply packet to UserA.

  • If the gateway sends an ARP Request packet to UserB, the gateway adds or updates an ARP entry matching UserB after receiving the ARP Reply packet.

ARP Entry Limiting

The ARP entry limiting function controls the number of ARP entries that a gateway interface can learn. By default, the number of ARP entries that an interface can dynamically learn is the same as the default number of ARP entries supported by the device. After the ARP entry limiting function is deployed, if the number of ARP entries that a specified interface dynamically learned reaches the maximum, the interface cannot learn any ARP entry. This prevents ARP entries from being exhausted when a host connecting to this interface initiates ARP attacks.

ARP Entry Fixing

As shown in Figure 26-10, an attacker simulates UserA to send a bogus ARP packet to the gateway. The gateway then records an incorrect ARP entry for UserA. As a result, UserA cannot communicate with the gateway.

Figure 26-10  ARP gateway spoofing attack

To defend against ARP gateway spoofing attacks, deploy the ARP entry fixing function on the gateway. After the gateway with this function enabled learns an ARP entry for the first time, it does not change the ARP entry, only updates part of the entry, or sends a unicast ARP Request packet to check validity of the ARP packet for updating the entry.

The device supports three ARP entry fixing modes, as described in Table 26-10.

Table 26-10  ARP entry fixing modes
Mode Description
fixed-all When receiving an ARP packet, the device discards the packet if the MAC address, interface number, or VLAN ID matches no ARP entry. This mode applies to networks that use static IP addresses and have no redundant link.
fixed-mac When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where users need to change access interfaces.
send-ack
When the device receives ARP packet A with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.
  • If the device receives ARP Reply packet B within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP entry are the same as those in ARP Reply packet B, the device considers ARP packet A as an attack packet and does not update the ARP entry.

  • If the device receives no ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of the ARP entry are different from those in ARP Reply packet B, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address again.
    • If the device receives ARP Reply packet C within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP packet A are the same as those in ARP Reply packet C, the device considers ARP packet A as a valid packet and update the ARP entry based on ARP packet A.
    • If the device receives no ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of ARP packet A are different from those in ARP Reply packet C, the device considers ARP packet A as an attack packet and does not update the ARP entry.

This mode applies to networks that use dynamic IP addresses and have redundant links.

Gratuitous ARP Packet Sending

As shown in Figure 26-11, an attacker forges the gateway address to send a bogus ARP packet to UserA. UserA then records an incorrect ARP entry for the gateway. As a result, the gateway cannot receive packets from UserA.

Figure 26-11  Bogus gateway attack

To avoid the preceding problem, deploy gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

MAC Address Consistency Check in an ARP Packet

This function defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

This function enables the gateway to check the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

ARP Packet Validity Check

After receiving an ARP packet, the device checks validity of the ARP packet, including:
  • Packet length
  • Validity of the source and destination MAC addresses in the ARP packet
  • ARP Request type and ARP Reply type
  • MAC address length
  • IP address length
  • Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet with different source MAC addresses in the ARP packet and Ethernet frame header is possibly an attack packet although it is allowed by the ARP protocol.

After ARP packet validity check is enabled on the gateway or an access device, the device checks the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 119067

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next