Configuring Arp Attack Protection; Arp Attack Protection Configuration Task List; Configuring Unresolvable Ip Attack Protection - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Configuring ARP attack protection
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used
to detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
•
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain
incorrect ARP entries.
•
Sends a large number of unresolvable IP packets to have the receiving device busy with
resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets
for which ARP cannot find corresponding MAC addresses.
•
Sends a large number of ARP packets to overload the CPU of the receiving device.
ARP attack protection configuration task list
Tasks at a glance
Flood prevention:
•
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
•
Configuring ARP packet rate limit
•
Configuring source MAC-based ARP attack detection
User and gateway spoofing prevention:
•
Configuring ARP packet source MAC consistency check
•
Configuring ARP active acknowledgement
•
Configuring authorized ARP
•
Configuring ARP attack detection
•
Configuring ARP scanning and fixed ARP
•
Configuring ARP gateway protection
•
Configuring ARP filtering
•
Configuring ARP sender IP address checking
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations
can occur:
•
The device sends a large number of ARP requests, overloading the target subnets.
•
The device keeps trying to resolve the destination IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
•
ARP source suppression—Stops resolving packets from an IP address if the number of
unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The
device continues ARP resolution when the interval elapses. This feature is applicable if the
attack packets have the same source addresses.
•
ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address.
The device drops all matching packets until the blackhole route is deleted. A blackhole route is
deleted when its aging timer is reached or the route becomes reachable.
(configured on gateways)
(configured on access devices)
(configured on gateways)
(configured on gateways)
(configured on access devices)
(configured on gateways)
(configured on access devices)
(configured on access devices)
(configured on gateways)
415
(configured on gateways)
(configured on gateways)
Advertisement
Table of Contents
Troubleshooting
