No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

A Switch on the Network of a University Experienced an ARP Attack, Causing Slow Internet Access

Publication Date:  2019-04-07 Views:  273 Downloads:  0

Issue Description

Networking and service description:

An S12712 acted as the user gateway and DHCP server to carry services for wired users. There were 6,500 users during peak hours.

S5720SI switches functioned as access devices and most user terminals were PCs.

Symptom:

During peak hours (21:00 to 23:30), the Internet access experience of students was poor, users went offline when they played games online, frame freezing occurred when users watched live videos, and videos were slowly buffered.

 

Alarm Information

A large number of ARP attack logs are generated on the device.

Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 7. (Protocol=arp-request, CIR/CBS=64/12032, ExceededPacketCount=10327)

User attack occurred.(Slot=MPU, SourceAttackInterface=GigabitEthernet7/0/8, OuterVlan/InnerVlan=1312/613, UserMacAddress=f076-1c7d-xxxx, AttackProtocol=ARP AttackPackets=90 packets per second)

The specified source IP address attack occurred.(Slot=MPU, SourceAttackIP=10.5.115.xx, AttackProtocol=ARP, AttackPackets=90 packets per second)

Auto port-defend stop.(SourceAttackInterface=GigabitEthernet7/0/32, AttackProtocol=ARP-REQUEST,

The display cpu-defend statistic command output shows that some ARP packets are discarded.

Handling Process

According to the alarm information, a large number of packets are discarded due to CPCAR on the card in slot 7. This card is an EA series card and uses the default CPCAR value 64 kbit/s. Therefore, increase the CAR value for ARP packets to 192 kbit/s on the EA card.

 

Configure a punishment action for detected attack sources. Delete the global ARP rate limiting configuration, which limits the number of ARP packets processed by the MPU per second to only 100. Proxy ARP is not configured on the sub-interface.

 

Migrate common users from the card in slot 7 to the X2E card in slot 8. User experience is obviously improved.

Root Cause

An ARP attack occurred on the network. As a result, valid ARP packets could not be processed in a timely manner, causing packet loss. If one packet is lost, frame freezing occurs when users play games online. If four to five consecutive packets are lost, users go offline when playing games online. If more packets are lost continuously, the Internet access speed is slow and frame freezing occurs when users watch live videos.

Solution

Increase the CAR value for ARP packets to 192 kbit/s on the EA card.

Configure a punishment action for detected attack sources and delete the global ARP rate limiting configuration.

Migrate common users from the card in slot 7 to the X2E card in slot 8. User experience is obviously improved.

Suggestions

Use high-performance cards, such as X1E and X2E series cards, if there are a large number of users.

Deploy attack defense properly on the network. Attack source tracing can also be configured on devices to detect attack sources in a timely manner.

END