How to configure defense against ARP flood attacks

Latest reply: Aug 23, 2019 01:10:55 63 1 2 1

This post describes several ARP anti-attack functions deployed on gateway switches to prevent flood attacks.

 

1.  Rate limit on ARP packets

Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets.

a.  Configuring Rate Limiting on ARP Packets based on Source IP Addresses

# Set the maximum rate of ARP packets from a specified IP address 10.0.0.1 to 100 pps and the maximum rate of ARP packets from other IP address to 50 pps.

 [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 100

[HUAWEI] arp speed-limit source-ip maximum 50

 

b. Configuring Rate Limiting on ARP Packets based on Source MAC Addresses

# Set the maximum rate of ARP packets from a specified MAC address 0-0-1 to 100 pps and the maximum rate of ARP packets from other MAC address to 50 pps.

[HUAWEI] arp speed-limit source-mac 0-0-1 maximum 100

[HUAWEI] arp speed-limit source-mac maximum 50

 

If both a and b are configured, when receiving ARP packets from a fixed source, the device limits the rate of these packets based on the maximum rate set by the arp speed-limit source-mac command.

 

c. Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface

# Configure interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable

[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60


2.  Rate limit on ARP Miss messages

Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses.

a.  Configuring Rate Limiting on ARP Miss Messages based on Source IP Addresses

# Set the maximum number of ARP Miss messages triggered by the IP address 10.0.0.1 per second to 100, and set the maximum number of ARP Miss messages triggered by other source IP addresses per second to 60.

 [HUAWEI] arp-miss speed-limit source-ip maximum 60

[HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100

 

b. Configuring Rate Limiting on ARP Miss Messages Globally, in a VLAN, or on an Interface

# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from interface GE0/0/1 in 10 seconds.

[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit enable

[HUAWEI-GigabitEthernet0/0/1] arp-miss anti-attack rate-limit packet 200 interval 10

 

3.  Strict ARP learning

This function allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP entries from being exhausted by invalid ARP packets.

The configuration on an interface takes precedence over the global configuration.

[HUAWEI] arp learning strict

[HUAWEI-Vlanif100] arp learning strict force-enable

 

4.  ARP entry limitation

This function limits the maximum number of dynamic ARP entries that can be learned by the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

# Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries.

 [HUAWEI-Vlanif10] arp-limit maximum 20

 

5.  Disabling ARP learning on interfaces

Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

# Disable VLANIF10 from learning dynamic ARP entries.

[HUAWEI-Vlanif10] arp learning disable

 


  • x
  • convention:

chenhui
Admin Created Aug 23, 2019 01:10:55 Helpful(0) Helpful(0)

This is great. It helps us to save the hardware resource and keep the switch from the ARP attack.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login