No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of ARP Security

Overview of ARP Security

Definition

Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based network scanning attacks using a series of methods such as strict ARP learning, dynamic ARP inspection (DAI), ARP anti-spoofing, and rate limit on ARP packets.

Purpose

ARP is easy to use but lacks security protection mechanisms. Attackers may use ARP to attack network devices. The following ARP attacks exist on networks:

  • ARP flood attack: ARP flood attacks, also called denial of service (DoS) attacks, occur in the following scenarios:

    • Processing ARP packets and maintaining ARP entries consume system resources. Network devices limit the number of stored ARP entries to improve ARP entry query efficiency. Attackers send a large number of bogus ARP packets with variable source IP addresses to consume ARP entries on a target device. Therefore, the target device cannot generate ARP entries when receiving ARP packets from authorized users. Consequently, communication is interrupted.

    • Attackers send a large number of IP packets with unresolvable destination IP addresses to scan the hosts on the local or remote network segments. The target devices generate many ARP Miss messages and deliver many temporary ARP entries. In addition, the target devices broadcast a large number of ARP Request packets to resolve the destination IP addresses of the IP packets received from attackers. These operations cause CPU overloading.

  • ARP spoofing attack: Attackers send bogus ARP packets to target devices, causing these devices to modify the ARP entries of other network devices or user hosts. As a result, these network devices or user hosts cannot communicate with one another other.

ARP attacks cause the following problems:
  • Network connections are unstable and communication is interrupted.
  • Attackers initiate ARP spoofing attacks to intercept user packets and thus obtain the accounts and passwords of the users, for example, game, online banking, and file server accounts and passwords, leading to losses for customers.

To avoid the preceding problems, the device provides multiple techniques to defend against ARP attacks.

Table 10-1 and Table 10-2 describes various ARP security techniques for defending against different ARP attacks.

Table 10-1  Measures to prevent ARP flood attacks

Measure

Description

Deployment

Rate limiting on ARP packets

Limits the rate of ARP packets to ensure that a device has sufficient CPU resources to process other services.

You are advised to enable this function on the gateway.

Rate limiting on ARP Miss messages

Limits the rate of ARP Miss messages to prevent attacks from a large number of IP packets with unresolvable destination IP addresses.

You are advised to enable this function on the gateway.

Strict ARP learning

Allows a device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. This prevents ARP entries from being exhausted by invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limiting

Limits the total number of ARP entries that can be dynamically learned by a device's interface. This function prevents ARP entries from being exhausted when a user host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Table 10-2  Measures to prevent ARP spoofing attacks

Measure

Description

Deployment

ARP entry fixing

After a device with this function enabled learns an ARP entry for the first time, it does not modify the ARP entry, but only updates part of the entry, or sends an ARP Request packet to check the validity of the ARP packet for updating the entry. This function prevents attackers from modifying the ARP entries of authorized users by using forged ARP packets.

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

ARP gateway anti-collision

Prevents gateway ARP entries on user hosts from being modified by attackers using bogus gateway IP addresses.

You are advised to enable this function on the gateway.

Gratuitous ARP packet sending

Allows a gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.

You are advised to enable this function on the gateway.

MAC address consistency check in an ARP packet

Prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

ARP packet validity check

Allows a device to filter out packets in which the source MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway or an access device.

Strict ARP learning

Allows a device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent, but does not allow the device to learn the ARP entries for the ARP packets received from other devices. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

Benefits

  • Reduces maintenance costs for network operating and security.
  • Provides users with stable services on a secure network.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95105

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next