Issue Description
VRP V100R003C00SPC200, Users experienced network slowness when accessing their internal networks.
data packet frequently dropped.
Alarm Information
Jul 8 2013 06:30:10+06:00 UNJ-Core %%01DEFD/4/CPCAR_DROP_LPU(l)[60]:Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-reply, Drop-Count=033)
Jul 8 2013 06:28:03+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[61]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 06:22:33+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[62]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 06:16:50+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[63]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 06:10:57+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[64]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 06:10:10+06:00 UNJ-Core %%01DEFD/4/CPCAR_DROP_LPU(l)[65]:Some packets are dropped by cpcar on the LPU in slot 3. (Protocol=arp-reply, Drop-Count=018)
Jul 8 2013 06:05:12+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[66]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 05:59:12+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[67]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Jul 8 2013 05:53:59+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[68]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
---- More ----�[42D �[42DJul 8 2013 05:48:16+06:00 UNJ-Core %%01SECE/4/ARPMISS(l)[69]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet5/0/31, SourceIP=192.168.201.251, AttackPackets=6 packets per second)
Handling Process
in order to solve this issue, the following steps can be followed :
1. search and isolate the source of ARP Attack by looking from log buffer of the switch
2. activating and running ARP Security function on Core Switch by entering below command :
[Quidway] arp learning strict
[Quidway] arp anti-attack entry-check fixed-mac enable
[Quidway] arp anti-attack gateway-duplicate enable
[Quidway] arp speed-limit source-ip maximum number
[Quidway] arp speed-limit source-ip ip-address maximum number
[Quidway] arp-miss speed-limit source-ip maximum number
[Quidway] arp-miss speed-limit source-ip ip-address maximum number
[Quidway] arp anti-attack log-trap-timer number
3. verify the configuration by using "display current-configuration"
4. check core switch log buffer again by using "display logbuffer" command
Root Cause
Based on information from the Huawei Switch Quidway S9300 Log, it's found that ARP attack floods the network with ARP packets that make congestion to the network and make network slowness.
Suggestions
in order to prevent from ARP attack, please ensure that network is free from virus by doing regular scanning.
furthermore, ensure unused interface ports are in disable state to avoid unauthorized user to access the network and launch
the attack. equipped the network with security function to avoid any security attach on the network.
