Address Resolution Protocol (ARP) poisoning(also known as ARP Spoofing):
Address Resolution Protocol (ARP) poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker's MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate MAC address. As a result, the attacker can intercept, modify or block communicates to the legitimate MAC address.
The term address resolution refers to the process of finding a MAC address that belongs to an assigned IP address for a computer in a network.
The address resolution protocol (ARP) is a protocol used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. The protocol operates below the network layer as a part of the interface between the OSI network and OSI link layer. It is used when IPv4 is implemented over Ethernet.
Configuring ARP Security:
Configuring defense against ARP flood attacks prevents ARP entries from being exhausted
and CPU overload.
Before configuring defense against ARP flood attacks, connect interfaces and set physical
parameters for the interfaces to ensure that the physical status of the interfaces is Up.
Configuring Rate Limiting on ARP Packets based on Source MAC Addresses:
A large number of ARP packets with a fixed source MAC address and variable IP addresses
will cause the CPU of a device to be overloaded and exhaust ARP entries.
To prevent this problem, configure the gateway to limit the rate of ARP packets based on
MAC addresses. The gateway then collects statistics on ARP packets sent from certain MAC
addresses to the CPU. If the number of ARP packets received in one second from the
specified MAC address exceeds the threshold, the device discards the excess ARP packets.
Step 1
Run:
system-view
The system view is displayed.
Step 2
Configure rate limit on ARP packets based on source MAC addresses.
Run:
arp anti-attack rate-limit source-mac maximum maximum
The maximum rate of ARP packets from any source MAC address is set
Run:
arp anti-attack rate-limit source-mac mac-address maximum maximum
The maximum rate of ARP packets from the specified source MAC address is set.
Step 3
Run:
commit
Configuring Rate Limiting on ARP Packets based on Source IP Addresses:
When processing a large number of ARP packets with fixed IP addresses (for example, MAC
addresses or outbound interfaces that match a source IP address frequently change), the CPU
is overloaded and cannot process other services.
To prevent this problem, configure the gateway to limit the rate of ARP packets based on
source IP addresses. The gateway collects statistics on ARP packets from a specified source
IP address. If the number of ARP packets received in one second from the specified IP
address exceeds the threshold, the device discards the excess ARP packets.
Step 1
Run:
system-view
The system view is displayed.
Step 2
Configure rate limit on ARP packets based on source IP addresses.
Run:
arp anti-attack rate-limit source-ip maximum maximum
The maximum rate of ARP packets from any source IP address is set.
Run:
arp anti-attack rate-limit source-ip ip-address maximum maximum
The maximum rate of ARP packets from the specified source IP address is set.
Step 3
Run:
commit
The configuration is committed.
Configuring Rate Limit on ARP Packets based on the Destination IP Address:
When processing a large number of ARP packets with the same destination IP address, the
CPU is overloaded and cannot process other services.
To prevent this problem, limit the rate of ARP packets based on the destination IP address.
The device collects statistics on ARP packets with a specified destination IP address. If the
number of received ARP packets with the specified destination IP address per second exceeds
the threshold, the device discards the excess ARP packets.
Step 1
Run:
system-view
The system view is displayed.
Step 2
Run:
arp anti-attack rate-limit destination-ip maximum maximum
Rate limit on ARP packets based on the destination IP address is configured.
Step 3
Run:
commit
The configuration is committed.
Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an
Interface:
When processing a large number of ARP packets, a device consumes many CPU resources
and cannot process other services. To protect CPU resources of the device, limit the rate of
ARP packets.
After rate limiting on ARP packets is enabled, set the maximum rate of ARP packets globally,
in a VLAN, or on an interface. If the number of ARP packets received each second exceeds
the limit, the device discards excess ARP packets.
-->Limiting the rate of ARP packets globally: limits the number of ARP packets processed
on the entire device.
-->Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets to be
processed on all interfaces in a VLAN. The configuration in a VLAN does not affect
ARP entry learning on interfaces in other VLANs.
-->Limiting the rate of ARP packets on an interface: limits the number of ARP packets
processed on an interface. The configuration on an interface does not affect ARP entry
learning on other interfaces.
If the maximum rate is configured in the system view, VLAN view, and interface view at the
same time, the device uses the configurations in the interface view, VLAN view, and system
view in order.
Step 1
Run:
system-view
The system view is displayed.
Step 2 (Optional)
Run:
interface interface-type interface-number
or,
vlan vlan-id
The interface or VLAN view is displayed.
If you configure rate limiting on ARP packets in the system view, skip the preceding step.
Step 3
Run:
arp anti-attack rate-limit limit
Step 4
Run:
commit
The configuration is committed.
Configuring ARP Rate Limiting on All Interfaces:
When a device processes a large number of ARP packets, the CPU may be overloaded and
cannot afford other services. Therefore, the device needs to limit the rate of ARP packets to
protect CPU resources.
After the function of limiting ARP packet rate is enabled, you can run the commands in the
system view to set an ARP rate limit for all interfaces. If the number of ARP packets received
by an interface within one second exceeds the limit, the device discards the excess ARP
packets.
If the arp anti-attack rate-limit command has been executed in the system view, the rate
limit specified in the command is the upper limit for the total number of ARP packets on all
interfaces. If the arp anti-attack rate-limit interface command has been executed in the
system view, the rate limit specified in the command is the upper limit for the number of ARP
packets on each interface.
Step 1
Run:
system-view
The system view is displayed.
Step 2
Run:
arp anti-attack rate-limit interface limit
The rate limit for ARP packets is set.
By default, ARP rate limit on all interfaces is 0. That is, the ARP packet rate on all interface is
not limited.
Step 3
Run:
commit
The configuration is committed.
Monitoring ARP Running Status:
-->Run the display arp packet statistics [ interface [ interface-type interface-number ] ]
command to display ARP packet statistics.
-->Run the display arp anti-attack record command to display details about ARP packets
discarded when the number of ARP packets exceeds the limit.
-->Run the display arp miss anti-attack record command to display details about excess
ARP Miss messages discarded when the number of ARP Miss messages exceeds the
limit.
Clearing ARP Security Statistics:
-->Run the reset arp packet statistics [ interface [ interface-type interface-number ] ]
command to clear ARP packet statistics.
-->Run the reset arp anti-attack record command to clear details about excess ARP
packets discarded when the number of ARP packets exceeds the limit.
-->Run the reset arp miss anti-attack record command to clear details about excess ARP
Miss messages discarded when the number of ARP Miss messages exceeds the limit.
Example configuration from swicth:
#
sysname Switch
#
vlan batch 10 20 30
#
arp miss anti-attack rate-limit source-ip maximum
20
arp anti-attack rate-limit source-ip 10.9.9.2 maximum
10
arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum
40
arp anti-attack rate-limit source-mac 0001-0001-0001 maximum
10
arp learning strict
arp anti-attack entry-check fixed-mac enable
arp anti-attack gratuitous-arp drop
#
interface Vlanif10
ip address 10.8.8.4
255.255.255.0
#
interface Vlanif20
ip address 10.9.9.4
255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3
255.255.255.0
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10
arp limit vlan 10 20
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface 10GE1/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
return
@Adriale @andersoncf1 @Giandiego @Dragos_Voicila @wissal @Mohamed_Ahmed @Mohamed619 @user_3015189 @zaheernew @lucian2003 @Sara_Obaid @Moschino @PRAKASHROKA @roderick01 @Irina @Asifsd @Prime @Netflix @niko_makoni @Ansal @little_fish @Kevin_Thomas @EIGRP @user_4105683 @user_4105651 @olive.zhao @gululu @Saqib123 @albertsilva @Unicef @Ayeshaali @nochhie @Vien @evaaaa @NikoleT @Steffy @dengdengdeng @Becky_2019 @tesfama @Chenxintao @Lan59
Sources: Huawei CE6800 SW Reference guide
