EasyManuals Logo

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #412 background imageLoading...
Page #412 background image
399
Configuring ARP attack protection
ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to
detect and prevent such attacks.
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
• Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain
incorrect ARP entries.
• Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving destination IP addresses until the
CPU is overloaded.
• Sends a large number of ARP packets to overload the CPU of the receiving device.
ARP attack protection configuration task list
Task Remarks
Flood
prevention
Configuring
unresolvable
IP attack
protection
Configuring ARP
source
suppression
Optional.
Configure this function on gateways (recommended).
Configuring source MAC-based
ARP attack detection
Optional.
Configure this function on gateways (recommended).
User and
gateway
spoofing
prevention
Configuring ARP packet source
MAC
consistency check
Optional.
Configure this function on gateways (recommended).
Configuring ARP active
acknowledgement
Optional.
Configure this function on gateways (recommended).
Configuring ARP automatic
scanning and fixed ARP
Optional.
Configure this function on gateways (recommended).
Configuring unresolvable IP attack protection
If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called
unresolvable IP packets), the following situations can occur:
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from attack packets that have the same source address, you can configure
ARP source suppression. You can set the maximum number of unresolvable IP packets that the
device can process within 5 seconds. If the threshold is reached, the device stops resolving packets
from the host until the 5 seconds elapse.

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals