03-Security Configuration Guide

HomeSupportSecurityH3C SecPath F5000 FirewallConfigure & DeployConfiguration GuidesH3C SecPath F50X0-D[F5000-AK] Firewalls Series Configuration Guides (V7) (R9620)-6W40103-Security Configuration Guide
21-ARP attack protection configuration
Title Size Download
21-ARP attack protection configuration 120.43 KB

Configuring ARP attack protection

About ARP attack protection

The device can provide multiple features to detect and prevent ARP attacks and viruses in the LAN. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:

·     Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.

·     Sends a large number of ARP packets to overload the CPU of the receiving device.

·     Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.

ARP attack protection tasks at a glance

All ARP attack protection tasks are optional.

·     Preventing flood attacks

¡     Configuring unresolvable IP attack protection

¡     Configuring source MAC-based ARP attack detection

·     Preventing user and gateway spoofing attacks

¡     Configuring ARP packet source MAC consistency check

¡     Configuring ARP active acknowledgement

¡     Configuring authorized ARP

¡     Configuring ARP attack detection

¡     Configuring ARP scanning and fixed ARP

¡     Configuring ARP gateway protection

¡     Configuring ARP filtering

Configuring unresolvable IP attack protection

About unresolvable IP attack protection

If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:

·     The device sends a large number of ARP requests, overloading the target subnets.

·     The device keeps trying to resolve the destination IP addresses, overloading its CPU.

To protect the device from such IP attacks, you can configure the following features:

·     ARP source suppression—Stops resolving packets from an IP address if the number of unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.

·     ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer is reached or the route becomes reachable.

After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.

This feature is applicable regardless of whether the attack packets have the same source addresses.

Configuring ARP source suppression

1.     Enter system view.

system-view

2.     Enable ARP source suppression.

arp source-suppression enable

By default, ARP source suppression is disabled.

3.     Set the maximum number of unresolvable packets that the device can process per source IP address within 5 seconds.

arp source-suppression limit limit-value

By default, the maximum number is 10.

Display and maintenance commands for unresolvable IP attack protection

Execute display commands in any view.

 

Task

Command

Display ARP source suppression configuration information.

display arp source-suppression

Configuring source MAC-based ARP attack detection

About source MAC-based ARP attack detection

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address. If the ARP logging feature is enabled, the device handles the attack by using either of the following methods before the ARP attack entry ages out:

·     Monitor—Only generates log messages.

·     Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

To enable the ARP logging feature, use the arp check log enable command. For information about the ARP logging feature, see ARP configuration in Layer 3—IP Services Configuration Guide.

When an ARP attack entry ages out, ARP packets sourced from the MAC address in the entry can be processed correctly.

Restrictions and guidelines

When you change the handling method from monitor to filter, the configuration takes effect immediately. When you change the handling method from filter to monitor, the device continues filtering packets that match existing attack entries.

You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.

Procedure

1.     Enter system view.

system-view

2.     Enable source MAC-based ARP attack detection and specify the handling method.

arp source-mac { filter | monitor }

By default, this feature is disabled.

3.     Set the threshold.

arp source-mac threshold threshold-value

By default, the threshold for source MAC-based ARP attack detection is 30.

4.     Set the aging timer for ARP attack entries.

arp source-mac aging-time time

By default, the lifetime is 300 seconds.

5.     (Optional.) Exclude specific MAC addresses from this detection.

arp source-mac exclude-mac mac-address&<1-10>

By default, no MAC address is excluded.

Display and maintenance commands for source MAC-based ARP attack detection

Execute display commands in any view.

 

Task

Command

Display ARP attack entries detected by source MAC-based ARP attack detection.

display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number }

Configuring ARP packet source MAC consistency check

About this task

This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.

Procedure

1.     Enter system view.

system-view

2.     Enable ARP packet source MAC address consistency check.

arp valid-check enable

By default, ARP packet source MAC address consistency check is disabled.

Configuring ARP active acknowledgement

About this task

Use the ARP active acknowledgement feature on gateways to prevent user spoofing.

This feature enables the device to perform active acknowledgement before creating an ARP entry.

·     Upon receiving an ARP request that requests the MAC address of the device, the device sends an ARP reply. Then, it sends an ARP request for the sender IP address in the received ARP request to determine whether to create an ARP entry for the sender IP address.

¡     If the device receives an ARP reply within the probe interval, it creates the ARP entry.

¡     If the device does not receive an ARP reply within the probe interval, it does not create the ARP entry.

·     Upon receiving an ARP reply, the device examines whether it was the reply to the request that the device has sent.

¡     If it was, the device creates an ARP entry for the sender IP address in the ARP reply.

¡     If it was not, the device sends an ARP request for the sender IP address to determine whether to create an ARP entry for the sender IP address.

-     If the device receives an ARP reply within the probe interval, it creates the ARP entry.

-     If the device does not receive an ARP reply within the probe interval, it does not create the ARP entry.

To improve validity and reliability of ARP entries, you can enable ARP active acknowledgement in strict mode. In this mode, the device creates ARP entries only for the IP addresses that the device actively initiates the ARP resolution.

Procedure

1.     Enter system view.

system-view

2.     Enable ARP active acknowledgement.

arp active-ack [ strict ]  enable

By default, ARP active acknowledgement is disabled.

For ARP active acknowledgement to take effect in strict mode, make sure ARP blackhole routing is enabled.

Configuring authorized ARP

About authorized ARP

Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.

Use this feature to prevent user spoofing and to allow only authorized clients to access network resources.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

Supported interface types include Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, Layer 3 aggregate subinterface, and VLAN interface.

3.     Enable authorized ARP on the interface.

arp authorized enable

By default, authorized ARP is disabled.

Configuring ARP attack detection

About ARP attack detection

ARP attack detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.

ARP attack detection provides the following features:

·     User validity check.

·     ARP packet validity check.

·     ARP restricted forwarding.

·     ARP attack detection logging.

If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.

Do not configure ARP attack detection together with ARP snooping. Otherwise, ARP snooping entries cannot be generated.

Configuring user validity check

About this task

User validity check does not check ARP packets received on ARP trusted interfaces. This feature compares the sender IP and sender MAC in the ARP packet received on an ARP untrusted interface with the matching criteria in the following order:

1.     User validity check rules.

¡     If a match is found, the device processes the ARP packet according to the rule.

¡     If no match is found or no user validity check rule is configured, proceeds to step 2.

2.     Static IPSG bindings, 802.1X security entries, and DHCP snooping entries.

¡     If a match is found, the device determines that the ARP packet is valid. Then, the device forwards the packet by searching for an entry that contains the target IP address.

-     If a match is found and the receiving interface is the same as the interface in the entry with a matching sender IP address, the device performs Layer 3 forwarding.

-     If a match is found but the receiviwith a matching sender IP addressng interface is different from the interface in the entry , the device performs Layer 2 forwarding.

-     If no match is found, the device performs Layer 2 forwarding.

¡     If no match is found, the device determines that the ARP packets is invalid and discards the ARP packet.

Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."

Restrictions and guidelines

When you configure user validity check, make sure one or more of the following items are configured:

·     User validity check rules.

·     Static IP source guard bindings.

If neither of the items is configured, all incoming ARP packets on ARP untrusted interfaces are discarded.

Specify an IP address, a MAC address, and a VLAN where ARP attack detection is enabled for an IP source guard binding. Otherwise, no ARP packets can match the IP source guard binding.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Configure a user validity check rule.

arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ]

By default, no user validity check rules are configured.

3.     Enter VLAN view.

vlan vlan-id

4.     Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled. The device does not perform user validity check.

5.     (Optional.) Configure an interface that does not require ARP user validity check as a trusted interface.

a.     Return to system view.

quit

b.     Enter interface view.

interface interface-type interface-number

Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.

c.     Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.

Configuring ARP packet validity check

About this task

ARP packet validity check does not check ARP packets received on ARP trusted interfaces. To check ARP packets received on untrusted interfaces, you can specify the following objects to be checked:

·     src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

·     dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

·     ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.

Prerequisites

Before you configure ARP packet validity check, you must first configure user validity check. For more information about user validity check configuration, see "Configuring user validity check."

Procedure

1.     Enter system view.

system-view

2.     Enter VLAN view.

vlan vlan-id

3.     Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled.

4.     Enable ARP packet validity check.

a.     Return to system view.

quit

b.     Enable ARP packet validity check and specify the objects to be checked.

arp detection validate { dst-mac | ip | src-mac } *

By default, ARP packet validity check is disabled.

5.     (Optional.) Configure the interface that does not require ARP packet validity check as a trusted interface.

a.     Enter interface view.

interface interface-type interface-number

Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.

b.     Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.

Configuring ARP restricted forwarding

About this task

ARP restricted forwarding does not take effect on ARP packets received on ARP trusted interfaces and forwards the ARP packets correctly. This feature controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows:

·     If the packets are ARP requests, they are forwarded through the trusted interface.

·     If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.

Restrictions and guidelines

ARP restricted forwarding does not apply to ARP packets that use multiport destination MAC addresses.

Prerequisites

Configure user validity check before you configure ARP restricted forwarding. For information about user validity check configuration, see "Configuring user validity check."

Procedure

1.     Enter system view.

system-view

2.     Enter VLAN view.

vlan vlan-id

3.     Enable ARP restricted forwarding.

arp restricted-forwarding enable

By default, ARP restricted forwarding is disabled.

Display and maintenance commands for ARP attack detection

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the VLANs enabled with ARP attack detection.

display arp detection

Display statistics for packets dropped by ARP attack detection.

display arp detection statistics [ interface interface-type interface-number ]

Clear statistics for packets dropped by ARP attack detection.

reset arp detection statistics [ interface interface-type interface-number ]

Configuring ARP scanning and fixed ARP

About this task

ARP scanning is typically used together with the fixed ARP feature in small-scale and stable networks.

ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:

1.     Sends ARP requests for each IP address in the address range.

2.     Obtains their MAC addresses through received ARP replies.

3.     Creates dynamic ARP entries.

Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. These static ARP entries are of the same attributes as the ARP entries that are manually configured. This feature prevents ARP entries from being modified by attackers.

Restrictions and guidelines

IP addresses in existing ARP entries are not scanned.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Trigger an ARP scanning.

arp scan [ start-ip-address to end-ip-address ]

4.     Return to system view.

quit

5.     Convert existing dynamic ARP entries to static ARP entries.

arp fixup

Configuring ARP gateway protection

About ARP gateway protection

Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.

When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.

Restrictions and guidelines

You can enable ARP gateway protection for a maximum of eight gateways on an interface.

Do not configure both the arp filter source and arp filter binding commands on an interface.

If ARP gateway protection works with ARP attack detection, ARP snooping, and ARP fast-reply, ARP gateway protection applies first.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.

3.     Enable ARP gateway protection for the specified gateway.

arp filter source ip-address

By default, ARP gateway protection is disabled.

Configuring ARP filtering

ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.

Restrictions and guidelines

You can configure a maximum of eight permitted entries on an interface.

Do not configure both the arp filter source and arp filter binding commands on an interface.

If ARP filtering works with ARP attack detection, ARP snooping, and ARP fast-reply, ARP filtering applies first.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

Supported interface types include Ethernet interface and Layer 2 aggregate interface.

3.     Enable ARP filtering and configure a permitted entry.

arp filter binding ip-address mac-address

By default, ARP filtering is disabled.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网