Arp attack protection, Periodic sending of gratuitous arp packets – H3C Technologies H3C SecPath F1000-E User Manual
Page 503
1
ARP Attack Protection
The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its
lack of security mechanism. Currently, ARP attacks and ARP viruses bring big threats to LANs. To avoid
such attacks and viruses, the device provides multiple techniques to detect and prevent them.
The following describes the principles and configuration of these techniques.
Periodic Sending of Gratuitous ARP Packets
Introduction to Periodic Sending of Gratuitous ARP Packets
By sending gratuitous ARP packets periodically, a device can notify its downlink devices of the updates
of its ARP entries or MAC address entries, so as to:
1.
Prevent ARP spoofing
A spoofed gratuitous ARP packet can cause hosts on a network segment to update their ARP entries
incorrectly, and thereby redirect traffic that the hosts want to send to the gateway to incorrect MAC
address instead. As a result, the hosts cannot access external networks.
To prevent such ARP attacks, you can configure the gateway’s interfaces to send gratuitous ARP packets
for the primary IP address and manually configured secondary IP addresses of the interface regularly. In
this way, the hosts on the network segment can learn the correct gateway address information and can
therefore access the network normally.
2.
Prevent aging of the gateway ARP entry
In practice, if the network load is heavy or the CPU usage of hosts on the network is high, ARP packets
may be dropped or the hosts cannot process ARP packets timely. In such cases, the dynamic ARP entries
of the hosts may be aged out due to timeout, and the traffic between the hosts and the gateway may be
interrupted before the ARP entry of the gateway is learnt.
To solve this problem, you can enable the gateway interface to send gratuitous ARP packets that contain
the primary IP address or a manually configured secondary IP address regularly. This is to help the hosts
update their ARP entries timely and prevent such traffic interruption to the utmost extent.
3.
Prevent the virtual IP address of a VRRP group from being used by a host
When a network has a VRRP group, it is required that the master router in the VRRP group regularly
send gratuitous ARP packets to the hosts on the network to make the hosts update their local ARP entries
timely, thus ensuring no device on the network uses the virtual IP address of the VRRP group.
As the virtual IP address of the VRRP group may correspond to the virtual MAC address or the actual
MAC address, the gratuitous ARP packets will use the virtual MAC address or the actual MAC address
accordingly.
4.
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
In VRRP configuration, if ambiguous VLAN termination is configured for many VLANs and VRRP groups,
interfaces configured with VLAN termination need to be disabled from transmitting
broadcast/multicast packets and a VRRP control VLAN needs to be configured so that VRRP
advertisements can be transmitted within the control VLAN only. In such cases, you can enable
periodic sending of gratuitous ARP packets containing the VRRP virtual IP address, and the primary IP