Table of Contents

Related Documents

04-ARP Attack Protection Configuration Examples

Title	Size	Download
04-ARP Attack Protection Configuration Examples	154.10 KB


H3C Routers
ARP Attack Protection
Configuration Examples

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Introduction

The following information provides examples for configuring ARP attack protection on routers.

Prerequisites

This document applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of ARP attack protection.

Example: Configuring ARP scanning and fixed ARP

Network configuration

As shown in Figure 1, Host A connects to the external network through a gateway (Router). Configure ARP scanning and fixed ARP to meet the following requirements:

· Disable the router from learning dynamic ARP entries.

· Host B cannot access the router.

Figure 1 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR5680-X3 device.

Procedures

# Specify an IP address for GigabitEthernet 1/0/1.

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 10.1.1.1 24

# Enable ARP scanning on GigabitEthernet 1/0/1. (The command is not displayed in the configuration file.)

[Router-GigabitEthernet1/0/1] arp scan

This operation may take a long time to collect these ARP entries, and you can press CTRL_C to break. Please specify a right range. Continue? [Y/N]: y

Scanning ARP. Please wait...

Scanning is complete.

[Router-GigabitEthernet1/0/1]quit

# Display ARP entry information on the router when the network has only one host.

[Router] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

10.1.1.2 0015-e943-7e6a -- -- -- D

# Convert the existing dynamic ARP entry to a static ARP entry. (The command is not displayed in the configuration file.)

[Router] arp fixup

This command will convert existing dynamic ARP entries to static ARP entries. Continue? [Y/N]:y

Fixup ARP. Please wait...

Fixup is complete.

# Display the converted ARP entry.

[Router] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

10.1.1.2 0015-e943-7e6a -- -- -- S

# Disable GigabitEthernet 1/0/1 from learning dynamic ARP entries.

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] arp max-learning-num 0

[Router-GigabitEthernet1/0/1] quit

Verifying the configuration

# Add Host B to the LAN and display ARP entry information on the router.

[Router] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

10.1.1.2 0015-e943-7e6a -- -- -- S

The output shows that the router does not have any ARP entry for Host B.

# Verify that Host B cannot ping the router.

C:\> ping 10.1.1.1

Pinging 10.1.1.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Configuration files

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.1.1.1 255.255.255.0

arp max-learning-num 0

Example: Configuring ARP active acknowledgement

Network configuration

As shown in Figure 2, Host A connects to the external network through a gateway (Router). Configure ARP active acknowledgement to prevent user spoofing.

Figure 2 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR5680-X3 device.

Procedures

# Specify an IP address for GigabitEthernet 1/0/1.

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 10.1.1.1 24

[Router-GigabitEthernet1/0/1] quit

# Enable ARP active acknowledgement.

[Router] arp active-ack enable

Verifying the configuration

# Display authorized ARP entry information on the router.

[Router] display arp

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

10.1.1.2 000f-e123-4568 -- GE1/0/1 20 D

The output shows that the router has an ARP entry for Host A.

# Enable debugging for ARP packets.

<Router> terminal debugging

The current terminal is enabled to display debugging logs.

<Router> debugging arp packet

# Use Host B to send a forged ARP request in which the sender MAC address is 0086-0005-0004 to the gateway. Upon receiving the ARP request, the router finds that the update interval for the corresponding ARP entry is more than 1 minute. Enabled with ARP active acknowledgement, the gateway sends a unicast ARP request in which the target IP and MAC addresses are the IP and MAC addresses in the ARP entry. If the gateway receives an ARP reply within 5 seconds, it compares the sender IP and MAC addresses in the ARP reply with those in the received ARP request.

*Jul 3 18:07:38:660 2013 Router ARP/7/ARP_RCV: Received an ARP message, operation: 1, sender MAC: 0086-0005-0004, sender IP: 10.1.1.2, target MAC: 0cda-41c7-057f, target IP: 10.1.1.1

*Jul 3 18:07:38:660 2013 Router ARP/7/ARP_SEND: Sent an ARP message, operation: 1, sender

MAC: 0cda-41c7-057f, sender IP: 10.1.1.1, target MAC: 000f-e123-4568, target IP: 10.1.1.2

*Jul 3 18:07:38:660 2013 Router ARP/7/ARP_SEND: Sent an ARP message, operation: 2, sender

MAC:0cda-41c7-057f, sender IP: 10.1.1.1, target MAC: 0086-0005-0004, target IP: 10.1.1.2

*Jul 3 18:07:38:660 2013 Router ARP/7/ARP_RCV: Received an ARP message, operation: 2, sender MAC: 000f-e123-4568, sender IP: 10.1.1.2, target MAC: 0cda-41c7-057f, target IP: 10.1.1.1

The output shows that the received ARP reply is sent from Host A. The sender IP and MAC addresses in the ARP reply matches the ARP entry. Then, the gateway regards the received ARP request as an attack packet.

# Display ARP entry information on the router.

<Router> display arp

Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid

IP address MAC address VLAN/VSI name Interface Aging Type

10.1.1.2 000f-e123-4568 -- GE1/0/1 20 D

The output shows that the ARP entry is not updated.

Configuration files

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.1.1.1 255.255.255.0

arp active-ack enable

Example: Configuring source MAC-based ARP attack detection

Network configuration

As shown in Figure 3, the server and PC access the Internet through a gateway (Router).

Configure source MAC-based ARP attack detection on the router to meet the following requirements:

· If the number of ARP packets received from the PC within 5 seconds exceeds 30, the device generates log messages and filters out subsequent ARP packets from the PC.

· Exclude the MAC address of the server from source MAC-based ARP attack detection.

Figure 3 Network diagram

‌

Analysis

Enable source MAC-based ARP attack detection on the router and specify the filter handling method.

Software versions used

This configuration example was created and verified on R9141P16 of the MSR5680-X3 device.

Procedures

# Enable source MAC-based ARP attack detection and specify the filter handling method.

<Router> system-view

[Router] arp source-mac filter

# Set the threshold to 30.

[Router] arp source-mac threshold 30

# Set the aging time for ARP attack entries to 60 seconds.

[Router] arp source-mac aging-time 60

# Exclude MAC address 0086-0005-0004 from this detection.

[Router] arp source-mac exclude-mac 0086-0005-0004

# Specify an IP address for GigabitEthernet 1/0/1.

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 10.1.1.1 24

[Router-GigabitEthernet1/0/1] quit

Verifying the configuration

# Enable debugging for ARP packets.

<Router> terminal debugging

The current terminal is enabled to display debugging logs.

<Router> debugging arp packet

# Use the PC to send ARP packets to the router at a rate of 6 pps. Display ARP attack entries detected by source MAC-based ARP attack detection on the router.

<Router> display arp source-mac interface GigabitEthernet1/0/1

Source-MAC VLAN ID Interface Aging-time

The router does not generate any log message or ARP attack entry.

# Use the PC to send ARP packets to the router at a rate of 10 pps. Display ARP attack entries detected by source MAC-based ARP attack detection on the router.

<Router> display arp source-mac interface GigabitEthernet1/0/1

Source-MAC VLAN ID Interface Aging-time

0088-0008-0009 N/A GE1/0/1 48

The output shows that the router has generated an ARP attack entry.

# Log messages generated by the router are as follows:

*Jun 20 13:54:42:482 2013 Router ARP/7/ARP_RCV: Received an ARP message, opera

tion: 1, sender MAC: 0088-0008-0009, sender IP: 10.1.1.20, target MAC: 0cda-41c7

-057f, target IP: 10.1.1.1

*Jun 20 13:54:42:482 2013 Router ARP/7/ARP_SEND: Sent an ARP message, operatio

n: 2, sender MAC: 0cda-41c7-057f, sender IP: 10.1.1.1, target MAC: 0088-0008-000

9, target IP: 10.1.1.20

*Jun 20 13:54:42:582 2013 Router ARP/7/ARP_RCV: Received an ARP message, opera

tion: 1, sender MAC: 0088-0008-0009, sender IP: 10.1.1.20, target MAC: 0cd

a-41c7-057f, target IP: 10.1.1.1

*Jun 20 13:54:42:582 2013 Router ARP/7/ARP_SEND: Sent an ARP message, operatio

n: 2, sender MAC: 0cda-41c7-057f, sender IP: 10.1.1.1, target MAC: 0088-0008-000

9, target IP: 10.1.1.20

*Jun 20 13:54:42:682 2013 Router ARP/7/ARP_RCV: Received an ARP message, opera

tion: 1, sender MAC: 0088-0008-0009, sender IP: 10.1.1.20, target MAC: 0cda-41c7

-057f, target IP: 10.1.1.1

*Jun 20 13:54:42:682 2013 Router ARP/7/ARP_SEND: Sent an ARP message, operatio

n: 2, sender MAC: 0cda-41c7-057f, sender IP: 10.1.1.1, target MAC: 0088-0008-000

9, target IP: 10.1.1.20

# Use the server to send ARP packets to the router at a rate of 10 pps. Display ARP attack entries detected by source MAC-based ARP attack detection on the router.

<Router> display arp source-mac interface GigabitEthernet1/0/1

Source-MAC VLAN ID Interface Aging-time

The router does not generate any log message or ARP attack entry.

Configuration files

interface GigabitEthernet1/0/1

port link-mode route

shutdown

ip address 10.1.1.1 255.255.255.0

arp source-mac filter

arp source-mac aging-time 60

arp source-mac exclude-mac 0086-0005-0004

Example: Configuring ARP source suppression

Network configuration

As shown in Figure 4, the hosts in VLAN 10 and VLAN 20 access the Internet through a gateway (Router).

Configure ARP source suppression on the router to protect the router from processing a large number of unresolvable IP packets from the same IP address.

Figure 4 Network diagram

‌

Software versions used

This configuration example was created and verified on R9141P16 of the MSR5680-X3 device.

Procedures

# Specify IP addresses for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 20.1.1.1 24

[Router-GigabitEthernet1/0/1] quit

[Router] interface gigabitethernet 1/0/2

[Router-GigabitEthernet1/0/2] ip address 10.1.1.1 24

[Router-GigabitEthernet1/0/2] quit

# Enable ARP source suppression.

[Router] arp source-suppression enable

# Configure the router to process a maximum of 2 unresolvable packets per source IP address within 5 seconds.

[Router] arp source-suppression limit 2

Verifying the configuration

# Use Host D to send IP packets with destination address 20.1.1.2 which does not exist in the LAN to the router. Verify how the router processes ARP packets with ARP source suppression enabled.

# Enable debugging for ARP packets.

<Router> terminal debugging

The current terminal is enabled to display debugging logs.

<Router> debugging arp packet

*Jul 23 17:29:03:061 2014 Router ARP/7/ARP_SEND: Sent an ARP message, operation: 1,