Arp attack protection configuration, Arp detection, Source mac address based arp attack detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

148

ARP attack protection configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network

attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple

features to detect and prevent such attacks. This chapter mainly introduces these features.

ARP detection

The ARP detection feature enables access devices to block ARP packets from unauthorized clients to

prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:

•

User validity check—The device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security

entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.

•

ARP packet validity check—The device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet

based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.

For more information about ARP detection, see H3C WX Series Access Controllers Security

Configuration Guide.

Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If

the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the

device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced

from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),

or only generates a log message upon receiving an ARP packet sourced from that MAC address (in

monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from

being discarded, you can specify the MAC address of the gateway or server as a protected MAC

address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.

ARP active acknowledgement

The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP

packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry.