Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can
occur.
•
The device sends a large number of ARP requests, overloading the target subnets.
The device keeps trying to resolve target IP addresses, overloading its CPU.
•
To protect the device from such unresolvable IP attacks, you can configure the following features:
ARP source suppression—If the attack packets have the same source address, you can enable the
•
ARP source suppression function, and set the maximum number of unresolvable IP packets that the
device can receive from a host within 5 seconds. If the threshold is reached, the device stops
resolving packets from the host until the 5 seconds elapse.
ARP blackhole routing—You can enable the ARP blackhole routing function regardless of whether
•
the attack packets have the same source address. After receiving an unresolvable IP packet, the
device creates a blackhole route destined for that IP address and drops all the matching packets
until the blackhole route ages out.
Configuring ARP source suppression
Step
1.
Enter system view.
2.
Enable ARP source suppression.
3.
Set the maximum number of
unresolvable packets that the
device can receive from a host
within 5 seconds.
Enabling ARP blackhole routing
Step
1.
Enter system view.
2.
Enable ARP blackhole routing.
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
Task
Display ARP source suppression configuration information.
Command
system-view
arp source-suppression
enable
arp source-suppression
limit limit-value
Command
system-view
arp resolving-route enable
Command
display arp source-suppression
273
Remarks
N/A
By default, ARP source suppression is
disabled.
By default, the maximum number is 10.
Remarks
N/A
By default, ARP blackhole routing
is enabled.