How to determine whether an S series switch suffers an ARP attack

Created Apr 14, 2017 08:45:29Latest reply Jun 25, 2018 21:04:42 1113 4 0 0
How to determine whether an S series switch suffers an ARP attack
  • x
  • convention:

ms.america     Created Apr 14, 2017 19:26:56 Helpful(0) Helpful(0)

On an S series switch:
If a network suffers an ARP attack, the following symptoms may occur:
Users are frequently disconnected, network access speed is low, or services are interrupted.
The switch has a high CPU usage and is out of management, the connected clients go offline, the active/standby switchover frequently occurs, and the port indicator blinks fast in red.
The ping operation has a long delay, lost packets, or fails.

When locating an ARP attack, determine whether the problem occurred on the link, loop, or route, and then perform the following operations:Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei.
1. Run the display cpu-defend statistics all command on the gateway to view the statistics about ARP request, ARP reply, and ARP Miss packets. Check whether the Drop count increases.
If the Drop count is 0, no ARP packet is lost. Go to step 2.
If the drop count is not 0, the rate of ARP request packets exceeds the CPCAR settings and excess ARP requests are discarded.
If many ARP Miss packets are discarded, the switch may suffer an ARP Miss attack.
If many ARP request or reply packets are discarded, the switch may suffer an ARP request or reply attack.
2. Run the display arp all command on the gateway to view ARP entries of users.
If the ARP entries exist, check the entries again to determine whether the ARP entry of any user or gateway is modified.
If the user ARP entries on the gateway are modified, the switch is suffering an ARP gateway spoofing attack.
If the gateway ARP entry on clients is modified, the switch is suffering an ARP bogus gateway attack.
If ARP entries of other users on a client are modified, perform the following operations:
     Capture packets on the user-side interface, and find the attacker according to the source addresses of ARP packets.
     Find out the attacker and scan virus or uninstall the attack tool. Alternatively, you can configure attack defense on the access switch.
If there is no user ARP entry, perform the following operations:
Run the debugging arp packet interface <interface-type> <interface-number> command in the user view to enable ARP packet debugging. Check whether the switch has sent ARP request packets and received ARP reply packets.
3. Collect the following information and contact Huawei technical support personnel.
Results of the preceding troubleshooting procedure
Configuration file, logs, and alarms of the switch
  • x
  • convention:

Skay  Adept   Created May 25, 2018 16:04:53 Helpful(0) Helpful(0)

If device received ARP Probe packet which the sender IP is 0.0.0.0 , Device has alarm :ARP/4/ARP_DUPLICATE_IPADDR(l)[6]:Received an ARP packet with a duplicate IP address from the interface. (IPAddress=10.3.58.1, InterfaceName=Vlanif1101, MACAddress=xxxx-ssss-935f) , how to do troubleshooting ?
  • x
  • convention:

StarOfWest  Moderator   Created May 30, 2018 14:24:54 Helpful(0) Helpful(0)

Check the source mac-address to see which host is generating this kind of ARP probe packet. It could be a NMS that is probing the network.

You can try to capture packets, maybe flow mirroring it's best for this scenario. You can define an ACL to match that specific traffic and then output it to a monitoring port. Then you can use wireshark to analyze the packets in dept.
  • x
  • convention:

“We only get answers to the questions that we ask.” physicist Werner Heisenberg
andsta  Moderator   Created Jun 25, 2018 21:04:42 Helpful(0) Helpful(0)

Hello, the following link provide a log message example from NMS for an ARP attack and the procedure : http://support.huawei.com/hedex/hdx.do?docid=EDOC1000161579&id=asece_arpmiss&text=SECE%252525252F4%252525252F%252525253Cb%252525253EARPMISS%252525253C%252525252Fb%252525253E&lang=en
Basically, measure the amount of packets discarded in one minute to class the severity and the source of the attack.
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top