Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-ARP attack protection configuration | 132.12 KB |
Contents
Configuring ARP attack protection
ARP attack protection configuration task list
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
Displaying and maintaining unresolvable IP attack protection
Configuring ARP packet rate limit
Configuring source MAC-based ARP attack detection
Displaying and maintaining source MAC-based ARP attack detection
Configuring ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuration example (on a DHCP server)
Configuration example (on a DHCP relay agent)
Configuring ARP scanning and fixed ARP
Configuration restrictions and guidelines
Configuring ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
· Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
· Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.
· Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White Paper.
ARP attack protection configuration task list
|
Tasks at a glance |
|
Flood prevention: · Configuring unresolvable IP attack protection (configured on gateways) ¡ Configuring ARP source suppression ¡ Configuring ARP blackhole routing · Configuring ARP packet rate limit (configured on access devices) · Configuring source MAC-based ARP attack detection (configured on gateways) |
|
User and gateway spoofing prevention: · Configuring ARP packet source MAC consistency check (configured on gateways) · Configuring ARP active acknowledgement (configured on gateways) · Configuring authorized ARP (configured on gateways) · Configuring ARP scanning and fixed ARP (configured on gateways) |
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:
· The device sends a large number of ARP requests, overloading the target subnets.
· The device keeps trying to resolve the destination IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
· ARP source suppression—Stops resolving packets from an IP address if the number of unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
· ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer is reached or the route becomes reachable.
After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.
This feature is applicable regardless of whether the attack packets have the same source addresses.
Configuring ARP source suppression
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP source suppression. |
arp source-suppression enable |
By default, ARP source suppression is disabled. |
|
3. Set the maximum number of unresolvable packets that the device can process per source IP address within 5 seconds. |
arp source-suppression limit limit-value |
By default, the maximum number is 10. |
Configuring ARP blackhole routing
|
Step |
Command |
Remarks |
|
4. Enter system view. |
system-view |
N/A |
|
5. Enable ARP blackhole routing. |
arp resolving-route enable |
By default, ARP blackhole routing is enabled. |
|
6. (Optional.) Set the number of ARP blackhole route probes for each unresolved IP address. |
arp resolving-route probe-count count |
The default setting is three probes. Set the ARP blackhole route probe count to a high value, for example, 25. If the device fails to reach the destination IP address temporarily and the probe count is too low, all probes might be finished before the problem is resolved. As a result, non-attack packets will be dropped. This setting can avoid such a situation. |
|
7. (Optional.) Set the interval at which the device probes ARP blackhole routes. |
arp resolving-route probe-interval interval |
The default setting is 1 second. |
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP source suppression configuration information. |
display arp source-suppression |
Configuration example
Network requirements
As shown in Figure 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets. To prevent the attack, configure ARP source suppression or ARP blackhole routing.
Configuration procedure
· If the attack packets have the same source address, configure ARP source suppression:
# Enable ARP source suppression.
<Device> system-view
[Device] arp source-suppression enable
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
[Device] arp source-suppression limit 100
· If the attack packets have different source addresses, configure ARP blackhole routing:
# Enable ARP blackhole routing.
[Device] arp resolving-route enable
Configuring ARP packet rate limit
The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. The device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash. To solve this problem, configure ARP packet rate limit.
Configuration guidelines
Configure this feature when ARP flood attacks are detected.
Configuration procedure
This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded.
You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.
· If notification sending is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a notification to the SNMP module. You must use the snmp-agent target-host command to set the notification type and target host. For more information about notifications, see Network Management and Monitoring Command Reference.
· If logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
To configure ARP packet rate limit:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Enable notification sending for ARP packet rate limit. |
snmp-agent trap enable arp [ rate-limit ] |
By default, notification sending for ARP packet rate limit is disabled. |
|
3. (Optional.) Enable logging for ARP packet rate limit. |
arp rate-limit log enable |
By default, logging for ARP packet rate limit is disabled. |
|
4. (Optional.) Set the notification and log message sending interval. |
arp rate-limit log interval interval |
By default, the device sends notifications and log messages every 60 seconds. |
|
5. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
6. Enable ARP packet rate limit and set the rate limit. |
arp rate-limit [ pps ] |
By default, ARP packet rate limit is enabled. |
|
|
NOTE: If you enable notification sending and logging for ARP packet rate limit on a Layer 2 aggregate interface, the features apply to all aggregation member ports. |
Configuring source MAC-based ARP attack detection
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry. Before the entry ages out, the device handles the attack by using either of the following methods:
· Monitor—Only generates log messages.
· Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC-based ARP attack detection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable source MAC-based ARP attack detection and specify the handling method. |
arp source-mac { filter | monitor } |
By default, this feature is disabled. When you change the handling method from monitor to filter, the configuration takes effect immediately. When you change the handling method from filter to monitor, the device continues filtering packets that match existing attack entries. |
|
3. Set the threshold. |
arp source-mac threshold threshold-value |
The default threshold is 30. |
|
4. Set the aging timer for ARP attack entries. |
arp source-mac aging-time time |
By default, the lifetime is 300 seconds. |
|
5. (Optional.) Exclude specific MAC addresses from this detection. |
arp source-mac exclude-mac mac-address&<1-10> |
By default, no MAC address is excluded. |
|
|
NOTE: When an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry can be processed correctly. |
Displaying and maintaining source MAC-based ARP attack detection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP attack entries detected by source MAC-based ARP attack detection (in standalone mode). |
display arp source-mac { slot slot-number | interface interface-type interface-number } |
|
Display ARP attack entries detected by source MAC-based ARP attack detection (in IRF mode). |
display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number } |
Configuration example
Network requirements
As shown in Figure 2, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Figure 2 Network diagram
Configuration considerations
An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:
1. Enable source MAC-based ARP attack detection and specify the handling method as filter.
2. Set the threshold.
3. Set the lifetime for ARP attack entries.
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<Device> system-view
[Device] arp source-mac filter
# Set the threshold to 30.
[Device] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[Device] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP packet source MAC address consistency check. |
arp valid-check enable |
By default, ARP packet source MAC address consistency check is disabled. |
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
· Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does not create an ARP entry.
· Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP address:
¡ If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid, the gateway creates an ARP entry.
¡ If no, the gateway discards the packet.
To configure ARP active acknowledgement:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the ARP active acknowledgement feature. |
arp active-ack [ strict ] enable |
By default, this feature is disabled. |
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature prevents user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable authorized ARP on the interface. |
arp authorized enable |
By default, authorized ARP is disabled. |
Configuration example (on a DHCP server)
Network requirements
As shown in Figure 3, configure authorized ARP on GigabitEthernet 1/1/1 of Device A (a DHCP server) to ensure user validity.
Configuration procedure
1. Configure Device A:
# Specify the IP address for GigabitEthernet 1/1/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/1/1
[DeviceA-GigabitEthernet1/1/1] ip address 10.1.1.1 24
[DeviceA-GigabitEthernet1/1/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] quit
# Enter Layer 3 Ethernet interface view.
[DeviceA] interface gigabitethernet 1/1/1
# Enable authorized ARP.
[DeviceA-GigabitEthernet1/1/1] arp authorized enable
[DeviceA-GigabitEthernet1/1/1] quit
2. Configure Device B:
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/1/1
[DeviceB-GigabitEthernet1/1/1] ip address dhcp-alloc
[DeviceB-GigabitEthernet1/1/1] quit
Verifying the configuration
# Display authorized ARP entry information on Device A.
[DeviceA] display arp all
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address MAC Address SVID Interface Aging Type
10.1.1.2 0012-3f86-e94c -- GE1/1/1 20 D
The output shows that IP address 10.1.1.2 has been assigned to Device B.
Device B must use the IP address and MAC address in the authorized ARP entry to communicate with Device A. Otherwise, the communication fails. Thus user validity is ensured.
Configuration example (on a DHCP relay agent)
Network requirements
As shown in Figure 4, configure authorized ARP on GigabitEthernet 1/1/2 of Device B (a DHCP relay agent) to ensure user validity.
Configuration procedure
1. Configure Device A:
# Specify the IP address for GigabitEthernet 1/1/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/1/1
[DeviceA-GigabitEthernet1/1/1] ip address 10.1.1.1 24
[DeviceA-GigabitEthernet1/1/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] gateway-list 10.10.1.1
[DeviceA-dhcp-pool-1] quit
[DeviceA] ip route-static 10.10.1.0 24 10.1.1.2
2. Configure Device B:
# Enable DHCP.
<DeviceB> system-view
[DeviceB] dhcp enable
# Specify the IP addresses of GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2.
[DeviceB] interface gigabitethernet 1/1/1
[DeviceB-GigabitEthernet1/1/1] ip address 10.1.1.2 24
[DeviceB-GigabitEthernet1/1/1] quit
[DeviceB] interface gigabitethernet 1/1/2
[DeviceB-GigabitEthernet1/1/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on GigabitEthernet 1/1/2.
[DeviceB-GigabitEthernet1/1/2] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[DeviceB-GigabitEthernet1/1/2] dhcp relay server-address 10.1.1.1
# Enable authorized ARP.
[DeviceB-GigabitEthernet1/1/2] arp authorized enable
[DeviceB-GigabitEthernet1/1/2] quit
# Enable recording of relay entries on the relay agent.
[DeviceB] dhcp relay client-information record
3. Configure Device C:
<DeviceC> system-view
[DeviceC] ip route-static 10.1.1.0 24 10.10.1.1
[DeviceC] interface gigabitethernet 1/1/2
[DeviceC-GigabitEthernet1/1/2] ip address dhcp-alloc
[DeviceC-GigabitEthernet1/1/2] quit
Verifying the configuration
# Display authorized ARP information on Device B.
[DeviceB] display arp all
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP Address MAC Address SVID Interface Aging Type
10.10.1.2 0012-3f86-e94c -- GE1/1/2 20 D
The output shows that Device A assigned the IP address 10.10.1.2 to Device C.
Device C must use the IP address and MAC address in the authorized ARP entry to communicate with Device B. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP scanning and fixed ARP
ARP scanning is typically used together with the fixed ARP feature in small-scale networks.
ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:
1. Sends ARP requests for each IP address in the address range.
2. Obtains their MAC addresses through received ARP replies.
3. Creates dynamic ARP entries.
Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command.
Configuration restrictions and guidelines
Follow these restrictions and guidelines when you configure ARP scanning and fixed ARP:
· IP addresses in existing ARP entries are not scanned.
· ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
· The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
· Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
· To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.
Configuration procedure
To configure ARP scanning and fixed ARP:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Trigger an ARP scanning. |
arp scan [ start-ip-address to end-ip-address ] |
|
4. Return to system view. |
quit |
|
5. Enable fixed ARP. |
arp fixup |
