beautypg.com

Configuring arp attack protection, Overview, Arp detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 195: Source mac address based arp attack detection, Arp active acknowledgement

background image

174

Configuring ARP attack protection

Overview

Although ARP is easy to implement, it does not provide any security mechanism and is prone to network

attacks and viruses, which threaten LAN security. This chapter describes features that a device can use to
detect and prevent attacks.

ARP detection

The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:

User validity check—The device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security

entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.

ARP packet validity check—The device does not check ARP packets received from an ARP trusted

port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.

ARP packets that fail the check are discarded.

For more information about ARP detection, see "

About the H3C Access Controllers Web-Based

Configuration Guide

."

Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address exceeds the specified threshold within 5 seconds, the

device considers this an attack and adds the MAC address to the attack detection table. Before the attack

detection entry is aged out, the device generates a log message when it receives an ARP packet sourced

from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),

or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server might send a large number of ARP packets. To prevent these ARP packets

from being discarded, you can specify the MAC address of the gateway or server as a protected MAC

address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.

ARP active acknowledgement

The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid

generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack

Protection Technology White Paper.