334
DCS-3950 series Ethernet switch manual
Chapter 21 ARP Scanning Prevention
21.1 Introduction
ARP scanning is a common method of network attack. In order to detect all the active
hosts in a network segment, the attack source will broadcast lots of ARP messages in the
segment, which will take up a large part of the bandwidth of the network. It might even do
large-traffic-attack in the network via fake ARP messages to collapse of the network by
exhausting the bandwidth. Usually ARP scanning is just a preface of other more
dangerous attack methods, such as automatic virus infection or the ensuing port scanning,
ulnerability scanning aiming at stealing information, distorted message attack, and DOS
attack, etc.
Since ARP scanning threatens the security and stability of the network with great
danger, so it is very significant to prevent it. ES4700BD series switch provides a complete
resolution to prevent ARP scanning: if there is any host or port with ARP scanning eatures
is found in the segment, the switch will cut off the attack source to ensure the security of
the network.
There are two methods to prevent ARP scanning: port-based and IP-based. The
port-based ARP scanning will count the number to ARP messages received from a port in
a certain time range, if the number is larger than a preset threshold, this port will be ‘down’.
The IP-based ARP scanning will count the number to ARP messages received from an IP
in the segment in a certain time range, if the number is larger than a preset threshold, any
traffic from this IP will be blocked, while the port related with this IP will not be ‘down’.
These two methods can be enabled simultaneously. After a port or an IP is disabled,
users can recover its state via automatic recovery function.
To improve the effect of the switch, users can configure trusted ports and IP, the ARP
messages from which will not be checked by the switch. Thus the load of the switch can
be effectively decreased.
21.2 Scanning Prevention Configuration
21.2.1 Scanning Prevention Configuration Task List
1. Enable the ARP Scanning Prevention function.
2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention
3. Configure trusted ports
4. Configure trusted IP
5. Configure automatic recovery time
6. Display relative information of debug information and ARP scanning
1) Enable the ARP Scanning Prevention function.
To Next Page
Loading...
Need help?
General