- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-Keychain configuration
- 02-Public key management
- 03-PKI configuration
- 04-Crypto engine configuration
- 05-SSH configuration
- 06-SSL configuration
- 07-Packet filter configuration
- 08-DHCP snooping configuration
- 09-DHCPv6 snooping configuration
- 10-ARP attack protection configuration
- 11-ND attack defense configuration
- 12-Attack detection and prevention configuration
- 13-IP-based attack prevention configuration
- 14-uRPF configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
10-ARP attack protection configuration | 145.84 KB |
Contents
Configuring ARP attack protection
ARP attack protection tasks at a glance
Configuring unresolvable IP attack protection
About unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
Verifying and maintaining unresolvable IP attack protection
Example: Configuring unresolvable IP attack protection
Configuring ARP packet rate limit
Configuring ARP packet source MAC consistency check
About ARP packet source MAC consistency check
Display and maintenance commands for ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuring ARP scanning and fixed ARP
Configuring automatic ARP scanning
Configuring ARP gateway protection
Example: Configuring ARP gateway protection
Example: Configuring ARP filtering
Configuring ARP sender IP address checking
About ARP sender IP address checking
Configuring ARP attack protection
About ARP attack protection
The device can provide multiple features to detect and prevent ARP attacks and viruses in the LAN. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
· Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.
· Sends a large number of ARP packets to overload the CPU of the receiving device.
· Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
ARP attack protection tasks at a glance
All ARP attack protection tasks are optional.
· Preventing flood attacks
¡ Configuring unresolvable IP attack protection
¡ Configuring ARP packet rate limit
· Preventing user and gateway spoofing attacks
¡ Configuring ARP packet source MAC consistency check
¡ Configuring ARP active acknowledgement
¡ Configuring ARP scanning and fixed ARP
¡ Configuring ARP gateway protection
¡ Configuring ARP sender IP address checking
Configuring unresolvable IP attack protection
About unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:
· The device sends a large number of ARP requests, overloading the target subnets.
· The device keeps trying to resolve the destination IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
· ARP source suppression—Stops resolving packets from an IP address if the number of unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
· ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer is reached or the route becomes reachable.
After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.
This feature is applicable regardless of whether the attack packets have the same source addresses.
Configuring ARP source suppression
1. Enter system view.
system-view
2. Enable ARP source suppression.
arp source-suppression enable
By default, ARP source suppression is disabled.
3. Set the maximum number of unresolvable packets that the device can process per source IP address within 5 seconds.
arp source-suppression limit limit-value
By default, the maximum number is 10.
Configuring ARP blackhole routing
Restrictions and guidelines
Set the ARP blackhole route probe count to a big value, for example, 25. If the device fails to reach the destination IP address temporarily and the probe count is too small, all probes might finish before the problem is resolved. As a result, non-attack packets will be dropped. This setting can avoid such situation.
Procedure
1. Enter system view.
system-view
2. Enable ARP blackhole routing.
arp resolving-route enable
The default setting varies by device model.
3. (Optional.) Set the number of ARP blackhole route probes for each unresolved IP address.
arp resolving-route probe-count count
The default setting is three probes.
4. (Optional.) Set the interval at which the device probes ARP blackhole routes.
arp resolving-route probe-interval interval
The default setting is 1 second.
Verifying and maintaining unresolvable IP attack protection
To display ARP source suppression configuration information, execute the following command in any view:
display arp source-suppression
Example: Configuring unresolvable IP attack protection
Network configuration
As shown in Figure 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets. To prevent the attack, configure ARP source suppression or ARP blackhole routing.
Procedure
· If the attack packets have the same source address, configure ARP source suppression:
# Enable ARP source suppression.
<Device> system-view
[Device] arp source-suppression enable
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
[Device] arp source-suppression limit 100
· If the attack packets have different source addresses, configure ARP blackhole routing:
# Enable ARP blackhole routing.
[Device] arp resolving-route enable
Configuring ARP packet rate limit
About this task
The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU.
You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.
· If notification sending is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a notification to the SNMP module. You must use the snmp-agent target-host command to set the notification type and target host. For more information about notifications, see SNMP configuration in Network Management and Monitoring Configuration Guide.
· If logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see System Management Configuration Guide.
Restrictions and guidelines
As a best practice, configure this feature when ARP snooping and ARP fast-reply is enabled, or when ARP flood attacks are detected.
If excessive notifications and log messages are sent for ARP packet rate limit, you can increase notification and log message sending interval.
If you enable notification sending and logging for ARP packet rate limit on an aggregate interface, the features apply to all aggregation member ports.
Procedure
1. Enter system view.
system-view
2. (Optional.) Enable SNMP notifications for ARP packet rate limit.
snmp-agent trap enable arp [ rate-limit ]
By default, SNMP notifications for ARP packet rate limit are disabled.
3. (Optional.) Enable logging for ARP packet rate limit.
arp rate-limit log enable
By default, logging for ARP packet rate limit is disabled.
4. (Optional.) Set the notification and log message sending interval.
arp rate-limit log interval interval
By default, the device sends notifications and log messages every 60 seconds.
5. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface, Layer 3 Ethernet interface, Layer 3 aggregate interface, and Layer 2 aggregate interface.
6. Enable ARP packet rate limit.
arp rate-limit [ pps ]
By default, ARP packet rate limit is enabled.
Configuring ARP packet source MAC consistency check
About ARP packet source MAC consistency check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
Procedure
1. Enter system view.
system-view
2. Enable ARP packet source MAC address consistency check.
arp valid-check enable
By default, ARP packet source MAC address consistency check is disabled.
Display and maintenance commands for ARP packet source MAC consistency check
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display statistics for packets dropped by ARP packet source MAC consistency check. |
display arp valid-check statistics slot slot-number |
Clear statistics for packets dropped by ARP packet source MAC consistency check. |
reset arp valid-check statistics |
Configuring ARP active acknowledgement
About this task
Use the ARP active acknowledgement feature on gateways to prevent user spoofing.
This feature enables the device to perform active acknowledgement before creating an ARP entry.
· Upon receiving an ARP request that requests the MAC address of the device, the device sends an ARP reply. Then, it sends an ARP request for the sender IP address in the received ARP request to determine whether to create an ARP entry for the sender IP address.
¡ If the device receives an ARP reply within the probe interval, it creates the ARP entry.
¡ If the device does not receive an ARP reply within the probe interval, it does not create the ARP entry.
· Upon receiving an ARP reply, the device examines whether it was the reply to the request that the device has sent.
¡ If it was, the device creates an ARP entry for the sender IP address in the ARP reply.
¡ If it was not, the device sends an ARP request for the sender IP address to determine whether to create an ARP entry for the sender IP address.
- If the device receives an ARP reply within the probe interval, it creates the ARP entry.
- If the device does not receive an ARP reply within the probe interval, it does not create the ARP entry.
To improve validity and reliability of ARP entries, you can enable ARP active acknowledgement in strict mode. In this mode, the device creates ARP entries only for the IP addresses that the device actively initiates the ARP resolution.
Procedure
1. Enter system view.
system-view
2. Enable ARP active acknowledgement.
arp active-ack [ strict ] enable
By default, ARP active acknowledgement is disabled.
For ARP active acknowledgement to take effect in strict mode, make sure ARP blackhole routing is enabled.
Configuring ARP scanning and fixed ARP
About this task
ARP scanning is typically used together with the fixed ARP feature in small-scale and stable networks.
ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:
1. Sends ARP requests for each IP address in the address range.
2. Obtains their MAC addresses through received ARP replies.
3. Creates dynamic ARP entries.
Enabled with automatic ARP scanning, the device periodically sends ARP requests to all IP addresses in the specified scanning range at the rate set by the arp scan auto send-rate command.
You can limit the ARP packet sending rate if the scanning range has a large number of IP addresses to avoid high CPU usage and heavy network load caused by a burst of ARP traffic.
If you specify the scanning range and source address for the sending ARP requests, the interface scans all IP addresses in the scanning range. If you only specify the scanning range, the interface scans the IP addresses that belong to both the scanning range and the subnet addresses of the interface.
Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. These static ARP entries are of the same attributes as the ARP entries that are manually configured. This feature prevents ARP entries from being modified by attackers.
Restrictions and guidelines
IP addresses in existing ARP entries are not scanned.
If you trigger ARP scanning and enable automatic ARP scanning, both of them take effect. As a best practice, use automatic ARP scanning only on networks where users come online and go offline frequently.
Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.
You can specify a maximum of 16 scanning ranges for different subnets by using the arp scan auto enable [ start-ip-address to end-ip-address [ source-addr source-ip-address ] ] command. The subnet addresses for each scanning range cannot overlap with each other.
Triggering an ARP scanning
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Trigger an ARP scanning.
arp scan [ start-ip-address to end-ip-address ]
CAUTION: ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. |
Configuring automatic ARP scanning
1. Enter system view.
system-view
2. Set the ARP packet sending rate for automatic ARP scanning.
arp scan auto send-rate { ppm ppm | pps }
By default, the device sends ARP packets at the rate of 48 pps during automatic ARP scanning.
3. Enter interface view.
interface interface-type interface-number
4. Enable automatic ARP scanning.
arp scan auto enable [start-ip-address to end-ip-address [ source-addr source-ip-address ] ]
By default, automatic ARP scanning is disabled.
Configuring fixed ARP
1. Enter system view.
system-view
2. Convert existing dynamic ARP entries to static ARP entries.
arp fixup
Configuring ARP gateway protection
About ARP gateway protection
Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.
Restrictions and guidelines
You can enable ARP gateway protection for a maximum of eight gateways on an interface.
Do not configure both the arp filter source and arp filter binding commands on an interface.
If ARP gateway protection works with ARP snooping and ARP fast-reply, ARP gateway protection applies first.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP gateway protection for the specified gateway.
arp filter source ip-address
By default, ARP gateway protection is disabled.
Example: Configuring ARP gateway protection
Network configuration
As shown in Figure 2, Host B launches gateway spoofing attacks to Device B. As a result, traffic that Device B intends to send to Device A is sent to Host B.
Configure Device B to block such attacks.
Procedure
# Configure ARP gateway protection on Device B.
<DeviceB> system-view
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] arp filter source 10.1.1.1
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.
Restrictions and guidelines
You can configure a maximum of eight permitted entries on an interface.
Do not configure both the arp filter source and arp filter binding commands on an interface.
If ARP filtering works with ARP snooping and ARP fast-reply, ARP filtering applies first.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP filtering and configure a permitted entry.
arp filter binding ip-address mac-address
By default, ARP filtering is disabled.
Example: Configuring ARP filtering
Network configuration
As shown in Figure 3, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233, respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 of Device B to permit ARP packets from only Host A and Host B.
Procedure
# Configure ARP filtering on Device B.
<DeviceB> system-view
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] arp filter binding 10.1.1.2 000f-e349-1233
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] arp filter binding 10.1.1.3 000f-e349-1234
Verifying the configuration
# Verify that Twenty-FiveGigE 1/0/1 permits ARP packets from Host A and discards other ARP packets.
# Verify that Twenty-FiveGigE 1/0/2 permits ARP packets from Host B and discards other ARP packets.
Configuring ARP sender IP address checking
About ARP sender IP address checking
This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues ARP learning. If the sender IP address is out of the range, the gateway determines the ARP packet as an attack packet and discards it.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable the ARP sender IP address checking feature and specify the IP address range.
arp sender-ip-range start-ip-address end-ip-address
By default, the ARP sender IP address checking feature is disabled.