Arp restricted forwarding, Introduction to arp packet rate limit – H3C Technologies H3C S3600 Series Switches User Manual

2-3

z

For details about DHCP Snooping and IP static binding, refer to DHCP Operation.

z

For details about 802.1x authentication, refer to 802.1x and System Guard Operation.

ARP restricted forwarding

With the ARP restricted forwarding function enabled, ARP request packets coming from untrusted port

are forwarded through trusted ports only; ARP response packets coming from untrusted port are

forwarded according to the MAC addresses in the packets, or through trusted ports if the MAC address

table contains no such destination MAC addresses.

Introduction to ARP Packet Rate Limit

To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection function

delivers ARP packets to the CPU to check the validity of the packets. However, this causes a new

problem: If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get

overloaded, causing other functions to fail, and even the whole device to break down. To guard against

such attacks, S3600 series Ethernet switches support the ARP packets rate limit function, which will

shut down the attacked port, thus preventing serious impact on the CPU.

With this function enabled on a port, the switch will count the ARP packets received on the port within

each second. If the number of ARP packets received on the port per second exceeds the preconfigured

value, the switch considers that the port is attacked by ARP packets. In this case, the switch will shut

down the port. As the port does not receive any packet, the switch is protected from the ARP packet

attack.

At the same time, the switch supports automatic recovery of port state. If a port is shut down by the

switch due to high packet rate, the port will revert to the Up state after a configured period of time.

Introduction to ARP Packet Filtering Based on Gateway's Address

According to the ARP design, after receiving an ARP packet with the target IP address being that of the

receiving interface, a device adds the IP-to-MAC mapping of the sender into its ARP mapping table

even if the MAC address is not requested by itself. This can reduce the ARP traffic in the network, but it

also makes ARP spoofing possible.

The most common ARP attack on campus networks is the gateway spoofing attack. An attacker sends

an ARP packet with the gateway’s IP address and a fake MAC address, and then a receiving host

updates the IP-to-MAC binding of the gateway. As a result, the traffic sent from the host to the gateway

will be redirected to the fake MAC address, and the client will be unable to access the external network.