Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
ARP Security

ARP Security

Latest reply: Jun 26, 2021 19:15:37 505 8 3 0 0
View the author 1#

ARP security is a feature based on ARP. It provides the filtering of untrusted ARP messages and suppression on ARP messages to guarantee the security and robustness of network devices.

The ARP security feature defends against not only the attacks to the ARP protocol but also the ARP-based attacks such as the ARP entry attack and network scanning attack.

Attack Method

Attack Defense Function

An attacker sends a large   number of pseudo ARP Request messages and thus the switch should keep   learning ARP entries, which results in ARP cache overflow on the switch and   prevents the switch from caching real ARP entries and performing message   forwarding normally.

Strict ARP   entry learning

By exploiting the ARP cache   space limitation, an attacker sends a large number of pseudo ARP Request and   Response messages to a switch. Thus, the switch should keep learning ARP   entries and the ARP cache may be overflowed, which prevents the switch from   caching real ARP entries and performing message forwarding normally.

Interface-based ARP entry   limit

By exploiting the   calculation capability limitation, an attacker sends a large number of pseudo   ARP Request and Response messages or other types of messages that can trigger   the ARP processing on the switch, which occupies the switch with ARP   processing for a long period, thereby affecting the processing of other   services and message forwarding.

Timestamp suppression on ARP   messages

An attacker sends IP packets   with changing source IP addresses, which causes a network scanning attack. As   a result, a great number of ARP Miss messages are sent. In addition, during   the processing of ARP Miss messages, ARP Request messages need to be sent,   which occupies great CPU resources.

Timestamp suppression on ARP   Miss messages

Generating alarms for   potential attack behaviors: When the speed of ARP or ARP Miss messages   exceeds the threshold, trap messages are reported at certain intervals.

Strict ARP Entry Learning

Strict ARP entry learning enables a switch to learn only the ARP Response messages corresponding to the ARP Request messages sent by itself rather than learn the Response messages corresponding to the Request messages sent by other devices. Through strict ARP entry learning, ARP Request and Response message attacks can be mostly prevented.

Interface-based ARP Entry Limit

Limiting the number of ARP entries that an interface can learn effectively prevents ARP cache overflow and ensures the security of ARP entries.

Timestamp Suppression on ARP Messages

After timestamp suppression on ARP messages is configured, the switch collects statistics on the number of ARP messages. If the number of ARP messages exceeds the configured threshold within a certain time period, the switch ignores the excess ARP messages. Currently, only destination IP address-based timestamp suppression is supported.

Timestamp Suppression on ARP Miss Messages

ARP Miss messages are the messages reported by a switch when the switch finds no matched ARP entries during forwarding.

After receiving the ARP Miss message, the upper-layer software generates a fake ARP entry and sends it to the device to prevent repeated reporting of the same ARP Miss message. Then, the upper-layer software sends an APR request. After receiving a replay, the upper-layer software replaces the fake entries with learnt ARP entries and send the learnt entries to the device. Then, traffic can be forwarded normally.

There is an aging period for dynamic fake ARP entries. In the aging time, the device does not send ARP Miss messages to the upper-layer software. After the aging time expires, fake dynamic ARP entries are cleared. When the device forwards a packet, no ARP entry is matched. Therefore, ARP Miss is generated and sent to the upper-layer software again.

By setting the aging time of dynamic fake ARP entries, you can control the frequency of sending ARP Miss messages to the upper-layer software and minimize the impact of attacks to the system.

ARP fake entries can prevent attacks of ARP Miss messages, in which packets with the same IP address are sent. For the ARP Miss messages that are generated by a great number of scanning attacks, the switch collects statistics on ARP Miss messages. If the number of ARP Miss messages exceeds the configured threshold within a certain time period, the switch ignores the subsequent ARP Miss messages.

Currently, only source IP address-based timestamp suppression on ARP Miss messages is supported. This feature can prevent the switch from wasting resources in processing the ARP Miss messages generated from network segment scanning.

Generating Alarms for Potential Attack Behaviors

This mechanism is an enhancement of timestamp suppression on ARP messages and ARP Miss messages.

When this mechanism is used together with timestamp suppression, a switch can generate alarms for the ARP messages discarded because of timestamp suppression. Contents of alarms include the source and destination IP addresses of the discarded messages, VPN instance, and interface number (the interfaces that receive such messages).

The switch generates alarms for only the ARP messages discarded because of timestamp suppression. For the ARP messages that are not processed because of strict ARP entry learning and interface-based ARP entry limit, the switch does not generate alarms.


ARP Security

Like (3) Dislike (0) Favorite(0) Share Report
Previous: Gratuitous ARP
Next: ARP-Ping
(1) (0)
2#
Unicef
MVE Created Mar 23, 2021 03:51:36

Good
View more
  • x
  • convention:

lucian2003
lucian2003 Created Mar 30, 2021 22:17:01 (0) (0)
Thanks  
(1) (0)
3#
user_3015189
Created Mar 29, 2021 18:58:37

Good job my friend. Thanks for sharing
View more
  • x
  • convention:

lucian2003
lucian2003 Created Mar 30, 2021 01:11:23 (0) (0)
Thanks  
(1) (0)
4#
hamza11
Created Mar 29, 2021 21:07:14

great!
View more
  • x
  • convention:

lucian2003
lucian2003 Created Mar 30, 2021 01:11:02 (0) (0)
 
(1) (0)
5#
andersoncf1
MVE Author Created Jun 26, 2021 19:15:37

Thanks for sharing knowledge.
View more
  • x
  • convention:

lucian2003
lucian2003 Created Jun 27, 2021 00:58:20 (0) (0)
 
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.