How to prevent ARP attacks targeted at static users

25

Static users (for example, dumb terminals such as printers and servers) are allocated static IP addresses. Attackers usually steal authorized users' IP addresses to connect to networks and initiate ARP attacks to interrupt network communication.

To defend against ARP attacks, a static user binding table and dynamic ARP inspection (DAI) can be configured for static users. DAI checks ARP packets based on binding entries.

Run the user-bind static command to configure the static user binding table, and run the arp anti-attack check user-bind enable command to enable DAI.

After the configuration, when a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with static binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

Other related questions:
How Can I Prevent ARP Attacks Targeted at Static Users?
To defend against ARP attacks, a static user binding table and dynamic ARP inspection (DAI) can be configured for static users. DAI checks ARP packets based on binding entries. Run the user-bind static command to configure the static user binding table, and run the arp anti-attack check user-bind enable command to enable DAI.

Can the device prevent ARP attacks after the ARP anti-attack function is configured
After the ARP anti-attack function is configured, the device can only reduce the impact of the ARP attacks. For example: --ARP Miss message limiting can only reduce the impact of ARP Miss attacks, but cannot prevent ARP Miss attacks or defend against ARP packet attacks or ARP spoofing attacks. --ARP gateway anti-collision can only prevent bogus gateway attacks, but cannot prevent ARP flood attacks or ARP spoofing gateway attacks.

How do S series switches perform ARP attack defense for static users
For S series switches: Static users are users configured with static IP addresses, for example, static IP addresses are assigned to dumb terminals such as printers and servers. Attackers usually use the IP address of an authenticated user to connect to the network and initiate ARP attacks, damaging network communications. To defend against ARP attacks, static users can be configured with a static binding table and the DAI function to enable the switch check the ARP packets against the binding table. The static user binding table can be configured using the user-bind static command. The DAI function can be enabled using the arp anti-attack check user-bind enable command. When a switch receives an ARP packet, it compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with static binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and relays the packet. If the ARP packet does not match any binding entry, the device considers the ARP packet invalid and discards the packet.

How to prevent intranet attack by configuration
Intranet attacks are mainly attacks from some Layer 2 packets using the ARP protocol. The attacks affect Internet access of users. The main anti-attack means is ARP anti-attack. 1. Strictly learn ARP entries, which means that the router learns only the response packets corresponding to the ARP request packets the router sends. Run the arp learning strict command in the system view to configure ARP entry learning globally. 2. Configure ARP gateway conflict to prevent users from faking a gateway and causing other users to fail to access the Internet. Run the arp anti-attack gateway-duplicate enable command in the system view to enable the ARP gateway conflict anti-attack function globally. 3. To protect user packets to be normally forwarded to a gateway and not be intercepted, configure the router to send free ARP packets and refresh the gateway MAC address in an ARP entry periodically. Run the arp gratuitous-arp send enable command in the system view to configure the free ARP packet transmission function globally. By default, the free ARP packets are sent at an interval of 90s.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top