What are the causes for ARP request packet attacks on S series

1

For S series switcheses (except S1700 switches): This problem may be caused by intranet computer viruses or special software.
If services are normal, no action is required.
If services are faulty, locate faults based on symptoms. For example, you can configure attack source tracing on the switch to search for the attack source before implementing further operations.

Other related questions:
Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

For S series switches, how to handle the failure to learn ARP entries caused by ARP Miss packets
For S series switches, the reasons for the failure to learn ARP entries caused by ARP Miss messages are as follows: - The rate limit on ARP Miss messages is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network depending on ARP Miss messages. - The CPCAR value of the ARP Miss packet is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network. - The attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Perform the following steps to locate the fault. Save the results of each troubleshooting step so that you can provide collected information for Huawei technical support engineers if the fault fails to be rectified. 1. Run the display arp all command in the user view to check statistics about ARP entries. If the MAC address field is in Incomplete state, the device fails to learn the ARP entry. IP address and interface information can be obtained through the ARP entry. 2. Capture the packet header on the interface used to connect to a user and check the source IP address of the ARP packet. 3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the number of the dropped ARP Miss packets is increasing. - If the number of dropped ARP Miss packets is 0, no ARP Miss packets are discarded by the switch. ARP entry learning fails because the rate limit on ARP Miss messages is too small. Go to step 5. Increase the ARP Miss message rate limit according to the actual network environment. - If the number of dropped ARP Miss packets is not 0, the rate of ARP Request packets exceeds the CPCAR rate limit and excessive ARP request packets are discarded. Check whether the CPCAR value of ARP Miss messages is configured correctly. -- If not, go to step 4. Increase the CPCAR value of ARP Miss messages. -- If so, ARP entry learning fails because the attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Find the attacker based on the source IP address, and check whether the user is infected with viruses. Alternatively, add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP Request packets sent by the attacker. 4. Run the car command in the attack defense policy view to increase the CIR value for ARP Miss messages. Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. After the configuration is complete, the attack defense policy takes effect only after it is applied. After the preceding steps are performed, if the fault persists or has been rectified but the CPU usage is high, go to step 5. Decrease the rate limit on ARP Miss messages. 5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command to view the ARP rate limit configuration. 6. If the fault persists, collect the following information and contact Huawei technical support. Results of the preceding troubleshooting procedure Configuration file, logs, and alarms of the switch

Function of DHCP Request packets on S series switch
For S series switches, DHCP Request messages are sent in the following conditions: - Respond to the DHCP Offer message sent by DHCP servers. - Notify the selected DHCP server using the server identifier option. - Check the allocated network addresses. - Apply for the valid period of addresses. - Extend the existing lease and prolong the lease period.

How to configure ARP attack defense on S series switches
For S series switches (except S1700 switches), you can configure ARP security to prevent ARP attacks. A switch may receive a large number of ARP packets when acting as a gateway. In this case, configure ARP security on the switch to protect the gateway. For example, configure the rate limit on ARP packets and ARP Miss messages to prevent ARP flood attacks. E series switches do not support the rate limit on ARP Miss messages. Common ARP attacks include: ARP flood attack is also called Denial of Service (DoS) attack. ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures. ARP security protects network devices against ARP attacks by learning ARP entries, limiting the ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top