No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview

Overview

This section describes the definition and functions of ARP Security.

Definition

Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based network scanning attacks using a series of methods such as strict ARP learning, dynamic ARP inspection (DAI), ARP anti-spoofing, and rate limit on ARP packets.

Purpose

ARP is easy to use but has no security mechanisms. Attackers often use ARP to attack network devices. The following ARP attack modes are commonly used on networks:

  • ARP flood attack: ARP flood attacks, also called denial of service (DoS) attacks, occur in the following scenarios:

    • System resources are consumed when the device processes ARP packets and maintains ARP entries. To ensure that ARP entries can be queried efficiently, a maximum number of ARP entries is set on the device. Attackers send a large number of bogus ARP packets with variable source IP addresses to the device. In this case, APR entries on the device are exhausted and the device cannot generate ARP entries for ARP packets from authorized users. Consequently, communication is interrupted.

    • When attackers scan hosts on the local network segment or other network segments, the attackers send many IP packets with unresolvable destination IP addresses to attack the device. As a result, the device triggers many ARP Miss messages, generates a large number of temporary ARP entries, and broadcasts ARP Request packets to resolve the destination IP addresses, leading to Central Processing Unit (CPU) overload.

  • ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures.

ARP attacks cause the following problems:
  • Network connections are unstable and communication is interrupted, leading to economic loss.
  • Attackers initiate ARP spoofing attacks to intercept user packets to obtain accounts and passwords of systems such as the game, online bank, and file server, leading to losses.

To avoid the preceding problems, the device provides multiple techniques to defend against ARP attacks.

Table 26-9 describe various ARP security techniques for defending against different ARP attacks.

Table 26-9  ARP security techniques for defending against ARP flood and spoofing attacks

Attack Type

Attack Defense Function

Description

Deployment

ARP flood attack

Rate limit on ARP packets

This function limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when processing a large number of ARP packets.

You are advised to enable this function on the gateway.

Rate limit on ARP Miss messages

This function limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses.

You are advised to enable this function on the gateway.

Strict ARP learning

This function allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP entries from being exhausted for invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limiting

This function enables a device interface to dynamically learn a maximum number of ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

ARP spoofing attack

ARP entry fixing

After the device with this function enabled learns an ARP entry for the first time, it does not change the ARP entry, only updates part of the entry, or sends a unicast ARP Request packet to check validity of the ARP packet for updating the entry.

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

Gratuitous ARP packet sending

This function allows the device used as the gateway to periodically send ARP Request packets with its IP address as the destination IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.

You are advised to enable this function on the gateway.

MAC address consistency check in an ARP packet

This function defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

ARP packet validity check

This function allows the device to filter out packets in which the source MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway or an access device.

Strict ARP learning

This function allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

ARP learning triggered by DHCP

This function allows the device to generate ARP entries based on received DHCP ACK messages. When there are a large number of DHCP users, the device needs to learn many ARP entries and age them. This affects device performance. This function prevents this problem.

You can also deploy DAI to prevent ARP entries of DHCP users from being modified maliciously.

You are advised to enable this function on the gateway.

Benefits

  • Reduces maintenance costs for network operating and security.
  • Provides users with stable services on a secure network.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117004

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next