Configuring ike dpd, Configuring arp attack protection, Arp attack protection configuration task list – H3C Technologies H3C S12500-X Series Switches User Manual
Page 228: Configuring unresolvable ip attack protection
216
11B
Configuring ARP attack protection
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to
detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
•
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
•
Sends a large number of IP packets for which ARP cannot find corresponding MAC addresses
(called unresolvable IP packets) to have the receiving device busy with resolving IP addresses until
its CPU is overloaded.
•
Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
131B
ARP attack protection configuration task list
Tasks at a glance
Flood prevention:
•
918H
Configuring unresolvable IP attack protection
(configured on gateways)
{
919H
Configuring ARP source suppression
{
920H
Enabling ARP blackhole routing
•
921H
Configuring ARP packet rate limit
(configured on access devices)
•
922H
Configuring source MAC-based ARP attack detection
(configured on gateways)
User and gateway spoofing prevention:
•
923H
Configuring ARP packet source MAC consistency check
(configured on gateways)
•
924H
Configuring ARP active acknowledgement
(configured on gateways)
•
925H
Configuring authorized ARP
(configured on gateways)
•
926H
Configuring ARP detection
(configured on access devices)
•
927H
Configuring ARP automatic scanning and fixed ARP
(configured on gateways)
•
928H
Configuring ARP gateway protection
(configured on access devices)
•
929H
Configuring ARP filtering
(configured on access devices)
132B
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can
occur.
•
The device sends a large number of ARP requests, overloading the target subnets.
•
The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such unresolvable IP attacks, you can configure the following features:
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches