beautypg.com

2 arp attack defense configuration, Arp attack defense configuration, Introduction to arp attack detection – H3C Technologies H3C S3600 Series Switches User Manual

Page 602: Man-in-the-middle attack, 2 arp attack defense, Configuration

background image

2-1

2

ARP Attack Defense Configuration

ARP Attack Defense Configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network

attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide

multiple features to detect and prevent such attacks. This chapter mainly introduces these features.

Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can
Learn

To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on

S3600 series Ethernet switches (operating as gateways). That is, you can set the maximum number of

dynamic ARP entries that a VLAN interface can learn. If the number of ARP entries learned by the

VLAN interface exceeds the specified upper limit, the VLAN interface stops learning ARP entries, thus

to avoid ARP flood attacks.

Introduction to ARP Source MAC Address Consistency Check

An attacker may use the IP or MAC address of another host as the sender IP or MAC address of ARP

packets. These ARP packets can cause other network devices to update the corresponding ARP

entries incorrectly, thus interrupting network traffic.

To prevent such attacks, you can configure ARP source MAC address consistency check on S3600

series Ethernet switches (operating as gateways). With this function, the device can verify whether an

ARP packet is valid by checking the sender MAC address of the ARP packet against the source MAC

address in the Ethernet header.

z

If they are consistent, the packet passes the check and the switch learns the ARP entry.

z

If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is

not learned.

Introduction to ARP Attack Detection

Man-in-the-middle attack

According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of

the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the

ARP traffic in the network, but it also makes ARP spoofing possible.

In

Figure 2-1

, Host A communicates with Host C through a switch. To intercept the traffic between Host

A and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C

respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in

their ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will pass

through Host B which acts like a “man-in-the-middle” that may intercept and modify the communication

information. Such an attack is called man-in-the-middle attack.

This manual is related to the following products: