Configuring unresolvable IP attack protection
If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called
unresolvable IP packets), the following situations can occur:
The device sends a large number of ARP requests, overloading the target subnets.
•
The device keeps trying to resolve target IP addresses, overloading its CPU.
•
To protect the device from such IP packet attacks, you can configure the following features:
ARP source suppression—If the attack packets have the same source address, you can enable the
•
ARP source suppression function, and set the maximum number of unresolvable IP packets that a
host can send within five seconds. If the threshold is reached, the device stops resolving packets
from the host until the five seconds elapse.
ARP black hole routing—You can enable the ARP black hole routing function regardless of whether
•
the attack packets have the same source address. After receiving an unresolvable IP packet, the
device creates a black hole route destined for that IP address and drops all the matching packets
until the black hole route ages out.
Configuring ARP source suppression
To configure ARP source suppression:
Step
1.
Enter system view.
2.
Enable ARP source suppression.
3.
Set the maximum number of unresolvable
packets that the device can receive from a
device in five seconds.
Enabling ARP black hole routing
To configure ARP black hole routing:
Step
1.
Enter system view.
2.
Enable ARP black hole
routing.
Displaying and maintaining ARP source suppression
Task
Display the ARP source suppression
configuration information.
Command
system-view
arp source-suppression enable
arp source-suppression limit
limit-value
Command
system-view
arp resolving-route enable
Command
display arp source-suppression [ |
{ begin | exclude | include }
regular-expression ]
252
Remarks
N/A
Disabled by default.
Optional.
10 by default.
Remarks
N/A
Optional.
Enabled by default.
Remarks
Available in any view.