Configuring unresolvable ip attack protection, Introduction, Configuring arp source suppression – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

327

Task Remarks

Configuring ARP detection

Optional.
Configure this function

on access devices
(recommended).

Configuring ARP gateway protection

Optional.
Configure this function
on access devices

(recommended).

Configuring ARP filtering

Optional.
Configure this function
on access devices

(recommended).

Configuring unresolvable IP attack protection

Introduction

If a device receives a large number of unresolvable IP packets from a host, the following situations can

occur:

•

The device sends a large number of ARP requests, overloading the target subnets.

•

The device keeps trying to resolve target IP addresses, overloading its CPU.

To protect the device from such IP packet attacks, you can configure the following features:

•

ARP source suppression—If the attack packets have the same source address, you can enable the
ARP source suppression function, and set the maximum number of unresolvable IP packets that a

host can send within five seconds. If the threshold is reached, the device stops resolving packets

from the host until the five seconds elapse.

•

ARP black hole routing—You can enable the ARP black hole routing function regardless of whether
the attack packets have the same source address. After receiving an unresoveble IP packet, the

device creates a black hole route destined for that IP address and drops all the matching packets

until the black hole route ages out.

Configuring ARP source suppression

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable ARP source suppression.

arp source-suppression enable Disabled by default.

3.

Set the maximum number of unresolvable
packets that the device can receive from a

device in five seconds.

arp source-suppression limit
limit-value

Optional.
10 by default.