Configuring arp attack protection, Overview, Arp attack protection configuration task list – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

326

Configuring ARP attack protection

ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to

detect and prevent such attacks.

Overview

Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network

attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:

•

Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.

•

Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to have the receiving device busy with resolving destination IP addresses until its CPU is

overloaded.

•

Sends a large number of ARP packets to overload the CPU of the receiving device.

For more information about ARP attack features and types, see ARP Attack Protection Technology White

Paper.

ARP attack protection configuration task list

Complete the following tasks to configure ARP attack protection:

Task Remarks

Flood prevention

Configuring
unresolvable IP attack

protection

Configuring ARP source
suppression

Optional.
Configure this function
on gateways

(recommended).

Enabling ARP black hole
routing

Configuring ARP packet rate limit

Optional.
Configure this function
on access devices

(recommended).

Configuring source MAC address based ARP attack
detection

Optional.
Configure this function
on gateways

(recommended).

Configuring ARP packet source MAC address
consistency check

Optional.
Configure this function
on gateways

(recommended).

Configuring ARP active acknowledgement

Optional.
Configure this function

on gateways
(recommended).