No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
NetEngine AR V300R019 CLI-based Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against ARP Spoofing Attacks

Configuring Defense Against ARP Spoofing Attacks

Pre-configuration Tasks

If an attacker sends bogus ARP packets to a network device or user host, the device or host modifies the local ARP entries, leading to packet forwarding failures. The function of defense against ARP spoofing attacks can prevent such attacks.

Before configuring defense against ARP spoofing attacks, connect interfaces and set physical parameters for the interfaces to ensure that the physical status of the interfaces is Up.

Configuration Procedure

Operations in the configuration procedure can be performed in any sequence.

Configuring ARP Entry Fixing

Context

To defend against ARP address spoofing attacks, configure ARP entry fixing on the gateway. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • fixed-mac: When receiving an ARP packet, the device discards the packet if the MAC address does not match that in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • fixed-all: When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry. This mode applies to networks where user MAC addresses and user access locations are fixed.
  • send-ack: When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user. This mode applies to networks where user MAC addresses and user access locations often change.

You can configure ARP entry fixing globally. If ARP entry fixing is enabled globally, all interfaces have this function enabled by default.

Procedure

  1. Configure ARP entry fixing globally
    1. Run system-view

      The system view is displayed.

    2. Run arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

      ARP entry fixing is enabled.

      By default, ARP entry fixing is disabled.

Configuring DAI

Context

Configuring DAI on an access device can prevent MITM attacks and theft on authorized users' information. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks the ARP packets received on all interfaces belonging to the VLAN against binding entries.

If you want to receive an alarm when a large number of ARP packets are generated, enable the alarm function for the ARP packets discarded by DAI. After the alarm function is enabled, the device will generate an alarm when the number of discarded ARP packets exceeds a specified threshold.

When ARP learning triggered by DHCP is enabled on the gateway, DAI can be enabled on the gateway.

This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user. For details about the DHCP snooping configuration, see DHCP Snooping Configuration. For details on how to configure a static binding entry, see Configuring IPSG Based on a Static Binding Table.

After the DAI function is configured on the router, the port isolation and proxy ARP functions must be configured; otherwise, the DAI function does not take effect. For the configuration of port isolation, see Configuring Interface Isolation in the NetEngine AR Configuration Guide - Interface Management. For the configuration of proxy ARP, see Configuring Proxy ARP in the NetEngine AR Configuration Guide - IP Services.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number or vlan vlan-id

    The interface view or VLAN view is displayed.

  3. Run arp anti-attack check user-bind enable

    DAI is enabled.

    By default, DAI is disabled.

    Only LAN-side interfaces on the AR6140H-S and AR6140-16G4XG support this function.

    Only LAN-side interfaces on the SRU-100H, SRU-200H, SRU-100HH, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H support this function.

    Only LAN-side ports on 8FE1GE, 24GE, and 24ES2GP boards support the SRU-100H, SRU-200H, SRU-100HH, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H. This function is supported only when the MPU is used.

  4. (Optional) In the interface view, run: arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }*

    Or in the VLAN view, run: arp anti-attack check user-bind check-item { ip-address | mac-address | interface }*

    Items for checking ARP packets based on binding entries are configured.

    By default, the check items consist of IP address, MAC address, VLAN ID, and interface number.

    To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

    Items for checking ARP packets based on binding entries do not take effect on user hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

  5. (Optional) In the interface view, run: arp anti-attack check user-bind alarm enable

    The alarm function for ARP packets discarded by DAI is enabled.

    By default, the alarm function for ARP packets discarded by DAI is disabled.

    This type of alarm is generated for the ARP packets discarded by DAI on interfaces. Do not run the arp anti-attack check user-bind enable command in a VLAN and the arp anti-attack check user-bind alarm enable command on an interface in this VLAN at the same time; otherwise, the actual number of discarded ARP packets in the VLAN is different from the number of discarded packets on the interface.

    Since the default interval for sending ARP alarms is 0 (that is, no ARP alarm is sent), you must run the arp anti-attack log-trap-timer time command to increase the alarm sending interval after enabling the alarm for packets discarded by DAI.

  6. (Optional) In the interface view, run: arp anti-attack check user-bind alarm threshold threshold

    The alarm threshold of ARP packets discarded by DAI is set.

    By default, the threshold on an interface is consistent with the threshold set by the arp anti-attack check user-bind alarm threshold threshold command in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100.

Configuring ARP Gateway Anti-Collision

Context

If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The gateway considers that a gateway collision occurs when a received ARP packet meets either of the following conditions:
  • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.
  • The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP group.
The device generates an ARP anti-collision entry and discards the received packets with the same source MAC address and VLAN ID in a specified period. This function prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp anti-attack gateway-duplicate enable

    ARP gateway anti-collision is enabled.

    By default, ARP gateway anti-collision is disabled.

    The AR651K, AR651, AR651C, AR651F-Lite, AR651U-A4, AR651W-8P, AR651W, and AR657W do not support this function.

Configuring Gratuitous ARP Packet Sending

Context

If an attacker forges the gateway address to send ARP packets to other user hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

You can configure gratuitous ARP packet sending globally or on a VLANIF interface.
  • If gratuitous ARP packet sending is enabled globally, all interfaces have this function enabled by default.
  • If gratuitous ARP packet sending is enabled globally and on a VLANIF interface simultaneously, the configuration on the VLANIF interface takes precedence over the global configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run interface vlanif interface-number

    The VLANIF interface view is displayed.

    If you intend to configure gratuitous ARP packet sending in the system view, skip this step.

  3. Run arp gratuitous-arp send enable

    Gratuitous ARP packet sending is enabled.

    By default, gratuitous ARP packet sending is disabled.

  4. (Optional) Run arp gratuitous-arp send interval interval-time

    The interval for sending gratuitous ARP packets is set.

    By default, the interval for sending gratuitous ARP packets is 90 seconds.

Configuring MAC Address Consistency Check in an ARP Packet

Context

The MAC address consistency check function for ARP packets prevents attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

This function enables the gateway to check the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run arp validate { source-mac | destination-mac } *

    MAC address consistency check in an ARP packet is enabled. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

    By default, MAC address consistency check in an ARP packet is disabled.

    Sub-interfaces do not support the arp validate { source-mac | destination-mac }* command. When receiving ARP packets, a sub-interface checks MAC address consistency based on the rule configured on the primary interface.

    VLANIF interfaces do not support the arp validate { source-mac | destination-mac }* command. When receiving ARP packets, a VLANIF interface checks MAC address consistency based on the rule configured on the member interface.

Configuring ARP Packet Validity Check

Context

After receiving an ARP packet, the device checks validity of the ARP packet, including:
  • Packet length
  • Validity of the source and destination MAC addresses in the ARP packet
  • ARP Request type and ARP Reply type
  • MAC address length
  • IP address length
  • Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet with different source MAC addresses in the ARP packet and Ethernet frame header is possibly an attack packet although it is allowed by the ARP protocol.

After ARP packet validity check is enabled, the device checks the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp anti-attack packet-check sender-mac

    ARP packet validity check is enabled.

    By default, ARP packet validity check is disabled.

Configuring Strict ARP Learning

Context

If many user hosts simultaneously send a large number of ARP packets to a device, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with one another other.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function allows the gateway to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. In this way, the gateway can prevent most ARP attacks.

Strict ARP learning can be configured globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only this interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run system-view

      The system view is displayed.

    2. Run arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

  • Configuring strict ARP learning on an interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

Configuring ARP Learning Triggered by DHCP

Context

When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries. This affects device performance.

To address this issue, configure ARP learning triggered by DHCP on the gateway. When the DHCP server allocates an IP address for a user, the gateway generates an ARP entry for the user based on the DHCP ACK packet received on the VLANIF interface.

Before configuring ARP learning triggered by DHCP, ensure that DHCP snooping is enabled using the dhcp snooping enable command.

When both VRRP and DHCP relay are configured on the network, neither the dhcp snooping enable command nor the arp learning dhcp-trigger command can be configured on the VRRP master and backup devices.

You can also deploy DAI to prevent ARP entries of DHCP users from being modified maliciously.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    The VLANIF interface view is displayed.

  3. Run arp learning dhcp-trigger

    ARP learning triggered by DHCP is enabled.

    By default, ARP learning triggered by DHCP is disabled.

Verifying the ARP Spoofing Attack Defense Configuration

Procedure

  • Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | packet-check | all } command to check the ARP anti-attack configuration.
  • Run the display arp anti-attack check user-bind interface interface-type interface-number command to check the configuration of the ARP packet check on an interface.
  • Run the display arp learning strict command to check strict ARP learning globally and on all interfaces.
  • Run the display arp anti-attack gateway-duplicate item command to check the ARP gateway anti-collision entries.
Translation
简体中文
Download
Updated: 2021-11-30

Document ID: EDOC1100112357

Views: 432380

Downloads: 558

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :