Configuring arp attack protection, Overview, Arp detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 195: Source mac address based arp attack detection, Arp active acknowledgement
174
Configuring ARP attack protection
Overview
Although ARP is easy to implement, it does not provide any security mechanism and is prone to network
attacks and viruses, which threaten LAN security. This chapter describes features that a device can use to
detect and prevent attacks.
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
•
User validity check—The device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
•
ARP packet validity check—The device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see "
About the H3C Access Controllers Web-Based
Source MAC address based ARP attack detection
This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address exceeds the specified threshold within 5 seconds, the
device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message when it receives an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server might send a large number of ARP packets. To prevent these ARP packets
from being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
ARP active acknowledgement
The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack
Protection Technology White Paper.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module