Introduction To Arp Security; Arp Security Supported By The S9300 - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

4 ARP Security Configuration

4.1 Introduction to ARP Security

This section describes the principle of ARP security.

ARP Attack

On a network, ARP entries are easily attacked. Attackers send a large number of ARP Request

and Response packets to attack network devices. Attacks are classified into ARP buffer overflow

attacks and ARP Denial of Service (DoS) attacks.

Attackers scan hosts on the local network segment or hosts on other network segments through

tools. Before returning response packets, the S9300 searches for ARP entries. If the MAC address

corresponding to the destination IP address does not exist, the ARP module on the S9300 sends

ARP Miss messages to the upper-layer software and requires the upper-layer software to send

ARP request packets to obtain the destination MAC address. A large number of scanning packets

generate a large number of ARP Miss packets. The resources of the system are then wasted in

processing ARP Miss packets. This affects the processing of other services and hence is called

scanning attack.

ARP Security

ARP security is used to filter out untrusted ARP packets and enable timestamp suppression for

certain ARP packets to guarantee the security and robustness of network devices.

4.2 ARP Security Supported by the S9300

This section describes the ARP security features supported by the S9300.

The S9300 supports the following ARP security features.

Limitation on ARP Entry Learning

You can configure the strict ARP entry learning so that the S9300 can learn only the response

messages of the ARP requests sent locally.

You can set the maximum number of ARP entries that can be dynamically learned by an

interface. This prevents malicious use of ARP entries and ensures that the S9300 can learn the

ARP entries of authorized users.

ARP Anti-Spoofing

ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP

packets and modify ARP entries on the gateway. As a result, the authorized users are

disconnected from the network.

4-2

ARP buffer overflow attacks: Attackers send a large number of bogus ARP request packets

and gratuitous ARP packets, which results in ARP buffer overflow. Therefore, normal ARP

entries cannot be cached and packet forwarding is interrupted.

ARP DoS attacks: Attackers send a large number of ARP request and response packets or

other packets that can trigger the ARP processing. The device is then busy with ARP

processing during a long period and ignores other services. Normal packet forwarding is

thus interrupted.

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

Issue 01 (2009-07-28)

Table of Contents

Introduction To Arp Security; Arp Security Supported By The S9300 - Huawei Quidway S9300 Configuration Manual

4.1 Introduction to ARP Security

4.2 ARP Security Supported by the S9300

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents