411
Configuring ARP attack protection
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used
to detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
• Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain
incorrect ARP entries.
• Sends a large number of unresolvable IP packets to have the receiving device busy with
resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets
for which ARP cannot find corresponding MAC addresses.
• Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology
White Paper.
ARP attack protection configuration task list
Flood prevention:
• Configuring unresolvable IP attack protection (configured on gateways)
ï‚¡ Configuring ARP source suppression
ï‚¡ Configuring ARP blackhole routing
• Configuring ARP packet rate limit (configured on access devices)
• Configuring source MAC-based ARP attack detection (configured on gateways)
User and gateway spoofing prevention:
• Configuring ARP packet source MAC consistency check (configured on gateways)
• Configuring ARP active acknowledgement (configured on gateways)
• Configuring authorized ARP (configured on gateways)
• Configuring ARP attack detection (configured on access devices)
• Configuring ARP scanning and fixed ARP (configured on gateways)
• Configuring ARP gateway protection (configured on access devices)
• Configuring ARP filtering (configured on access devices)
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations
can occur:
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
• ARP source suppression—Stops resolving packets from a host if the number of unresolvable
IP packets from the host exceeds the upper limit within 5 seconds. The device continues ARP
resolution when the interval elapses. This feature is applicable if the attack packets have the
same source addresses.
To Next Page
Loading...
Need help?
General