Phenomenon of intermittent Internet access failure on AR2240 caused by ARP attack

8

Possible causes:
Sources of ARP attacks exist in the intranet and occupy the Internet access resources of normal users, causing intermittent Internet access failure.
Recommended solution:
Intranet attacks are mainly attacks from some Layer 2 packets using the ARP protocol. The attacks affect Internet access of users. The main anti-attack means is ARP anti-attack.
Strictly learn ARP entries, which means that the router learns only the response packets corresponding to the ARP request packets the router sends. Run the arp learning strict command in the system view to configure ARP entry learning globally.
Configure ARP gateway conflict to prevent users from faking a gateway and causing other users to fail to access the Internet. Run the arp anti-attack gateway-duplicate enable command in the system view to enable the ARP gateway conflict anti-attack function globally.
To protect user packets to be normally forwarded to a gateway and not be intercepted, configure the router to send free ARP packets and refresh the gateway MAC address in an ARP entry periodically. Run the arp gratuitous-arp send enable command in the system view to configure the free ARP packet transmission function globally. By default, the free ARP packets are sent at an interval of 90s.

For details, see the URL ARP attacks lead to AR2240 under the intermittent users can not access the phenomenon of external network
.

Other related questions:
A user successfully initiates L2TP dialup, but cannot access the private network. Why?
A user successfully initiates L2TP dialup, but cannot access the private network. The possible causes are as follows: - The firewall is enabled on the intranet host. - The local and remote devices are on the same network segment. - The access address through L2TP dialup and LAN users are on the same network segment, and proxy ARP is not enabled. - The MTU on the virtual interface is incorrect. It is recommended that the MTU of the virtual interface plus all the header lengths should not exceed the MTU of the interface. Otherwise, packets will be discarded if some devices do not support fragmentation. - The MSS on the virtual interface is incorrect. Ensure that the MSS plus all the header lengths does not exceed the MTU. - LCP re-negotiation is not configured. - There are unreachable routes. - Tunnel authentication is not configured. - IPSec encryption is not configured and data flows do not match ACLs.

How to rapidly locate the cause of a failure to establish a tunnel between the LAC and LNS
During L2TP configuration, the LAC cannot set up a tunnel with the LNS. Perform the following operations to quickly locate the fault.
1. Run the start l2tp command on the LAC to check whether there is a reachable route to the LNS. If the route is unreachable, ensure route reachability.
2. Check the L2TP configuration on the LNS and delete the remote parameter specified in the allow l2tp command. If an L2TP tunnel can be established successfully, the LAC cannot set up a tunnel with the LNS because the tunnel name on the LAC is incorrect or the tunnel name specified by the LNS is incorrect. Use the following methods:
 - Run the tunnel name command on the LAC to set the local tunnel name to the value of remote specified by the allow l2tp command on the LNS.
 - Run the allow l2tp command on the LNS to change the value of remote to the tunnel name configured on the LAC. If no local tunnel name is configured using the tunnel name command on the LAC, the value of remote is the device name of the LAC.

What are the causes for ARP request packet attacks on S series
For S series switcheses (except S1700 switches): This problem may be caused by intranet computer viruses or special software. If services are normal, no action is required. If services are faulty, locate faults based on symptoms. For example, you can configure attack source tracing on the switch to search for the attack source before implementing further operations.

Can the device prevent ARP attacks after the ARP anti-attack function is configured
After the ARP anti-attack function is configured, the device can only reduce the impact of the ARP attacks. For example: --ARP Miss message limiting can only reduce the impact of ARP Miss attacks, but cannot prevent ARP Miss attacks or defend against ARP packet attacks or ARP spoofing attacks. --ARP gateway anti-collision can only prevent bogus gateway attacks, but cannot prevent ARP flood attacks or ARP spoofing gateway attacks.

For S series switches, how to handle the failure to learn ARP entries caused by ARP Miss packets
For S series switches, the reasons for the failure to learn ARP entries caused by ARP Miss messages are as follows: - The rate limit on ARP Miss messages is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network depending on ARP Miss messages. - The CPCAR value of the ARP Miss packet is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network. - The attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Perform the following steps to locate the fault. Save the results of each troubleshooting step so that you can provide collected information for Huawei technical support engineers if the fault fails to be rectified. 1. Run the display arp all command in the user view to check statistics about ARP entries. If the MAC address field is in Incomplete state, the device fails to learn the ARP entry. IP address and interface information can be obtained through the ARP entry. 2. Capture the packet header on the interface used to connect to a user and check the source IP address of the ARP packet. 3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the number of the dropped ARP Miss packets is increasing. - If the number of dropped ARP Miss packets is 0, no ARP Miss packets are discarded by the switch. ARP entry learning fails because the rate limit on ARP Miss messages is too small. Go to step 5. Increase the ARP Miss message rate limit according to the actual network environment. - If the number of dropped ARP Miss packets is not 0, the rate of ARP Request packets exceeds the CPCAR rate limit and excessive ARP request packets are discarded. Check whether the CPCAR value of ARP Miss messages is configured correctly. -- If not, go to step 4. Increase the CPCAR value of ARP Miss messages. -- If so, ARP entry learning fails because the attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Find the attacker based on the source IP address, and check whether the user is infected with viruses. Alternatively, add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP Request packets sent by the attacker. 4. Run the car command in the attack defense policy view to increase the CIR value for ARP Miss messages. Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. After the configuration is complete, the attack defense policy takes effect only after it is applied. After the preceding steps are performed, if the fault persists or has been rectified but the CPU usage is high, go to step 5. Decrease the rate limit on ARP Miss messages. 5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command to view the ARP rate limit configuration. 6. If the fault persists, collect the following information and contact Huawei technical support. Results of the preceding troubleshooting procedure Configuration file, logs, and alarms of the switch

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top