After ARP attack defense is configured on S series switches, whether the device can defend against ARP attacks


For S series switches, the ARP attack defense function can only defend against appropriate ARP attacks after it is configured. For example:
The rate limit on ARP Miss messages can only mitigate the impact of ARP Miss attacks, but cannot shield them. Also, ARP packet attacks and ARP spoofing attacks cannot be prevented.
ARP gateway anti-collision can only defend against attacks from bogus gateways, but cannot shield ARP flood attacks and ARP gateway spoofing attacks.

Other related questions:
How to configure ARP attack defense on S series switches
For S series switches (except S1700 switches), you can configure ARP security to prevent ARP attacks. A switch may receive a large number of ARP packets when acting as a gateway. In this case, configure ARP security on the switch to protect the gateway. For example, configure the rate limit on ARP packets and ARP Miss messages to prevent ARP flood attacks. E series switches do not support the rate limit on ARP Miss messages. Common ARP attacks include: ARP flood attack is also called Denial of Service (DoS) attack. ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures. ARP security protects network devices against ARP attacks by learning ARP entries, limiting the ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

Can the device prevent ARP attacks after the ARP anti-attack function is configured
After the ARP anti-attack function is configured, the device can only reduce the impact of the ARP attacks. For example: --ARP Miss message limiting can only reduce the impact of ARP Miss attacks, but cannot prevent ARP Miss attacks or defend against ARP packet attacks or ARP spoofing attacks. --ARP gateway anti-collision can only prevent bogus gateway attacks, but cannot prevent ARP flood attacks or ARP spoofing gateway attacks.

How to determine whether an S series switch suffers an ARP attack
On an S series switch: If a network suffers an ARP attack, the following symptoms may occur: Users are frequently disconnected, network access speed is low, or services are interrupted. The switch has a high CPU usage and is out of management, the connected clients go offline, the active/standby switchover frequently occurs, and the port indicator blinks fast in red. The ping operation has a long delay, lost packets, or fails. When locating an ARP attack, determine whether the problem occurred on the link, loop, or route, and then perform the following operations:Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei. 1. Run the display cpu-defend statistics all command on the gateway to view the statistics about ARP request, ARP reply, and ARP Miss packets. Check whether the Drop count increases. If the Drop count is 0, no ARP packet is lost. Go to step 2. If the drop count is not 0, the rate of ARP request packets exceeds the CPCAR settings and excess ARP requests are discarded. If many ARP Miss packets are discarded, the switch may suffer an ARP Miss attack. If many ARP request or reply packets are discarded, the switch may suffer an ARP request or reply attack. 2. Run the display arp all command on the gateway to view ARP entries of users. If the ARP entries exist, check the entries again to determine whether the ARP entry of any user or gateway is modified. If the user ARP entries on the gateway are modified, the switch is suffering an ARP gateway spoofing attack. If the gateway ARP entry on clients is modified, the switch is suffering an ARP bogus gateway attack. If ARP entries of other users on a client are modified, perform the following operations: Capture packets on the user-side interface, and find the attacker according to the source addresses of ARP packets. Find out the attacker and scan virus or uninstall the attack tool. Alternatively, you can configure attack defense on the access switch. If there is no user ARP entry, perform the following operations: Run the debugging arp packet interface command in the user view to enable ARP packet debugging. Check whether the switch has sent ARP request packets and received ARP reply packets. 3. Collect the following information and contact Huawei technical support personnel. Results of the preceding troubleshooting procedure Configuration file, logs, and alarms of the switch

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top