Arp Security Overview - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security

4.1 ARP Security Overview

ARP attacks are common and have great impact on networks. The S3700 defends against ARP
attacks on the interface that is nearest to the attack source.
Ethernet is commonly used for access to networks. ARP, running as an open protocol on the
Ethernet, offers chances for hackers to attack networks because of its simplicity, openness, and
lack of security measures.
ARP Attack Type
There are a lot of ARP attack types:
l
l
l
ARP Attack Impact
If a user undergoes an ARP attack, the gateway information on the user host is modified or
thieved, and the user cannot go online.
If an access switch undergoes an ARP attack, many users in the LAN cannot go online.
If a router undergoes an ARP attack, more users cannot go online because multiple switches are
connected to the router.
Issue 01 (2011-07-15)
ARP attacks may aim at user hosts or the S3700.
Attacks can be initiated by using virus or unauthorized software.
Depending on attack impact, ARP attacks are classified into address spoofing attack and
Denial of Service (DoS) attack.
– Address spoofing attack
– The attacker sends incorrect MAC addresses to the gateway. The gateway updates
the ARP entries. As a result, user hosts cannot go online.
– The attacker sends an incorrect ARP reply to a user host. After obtaining the incorrect
gateway address, the user host cannot go online.
– DOS attack
– The attacker sends a lot of bogus ARP request and reply packets to the device. The
ARP table of the device overflows and the device cannot cache valid ARP entries.
As a result, the device cannot forward valid packets.
– The attacker sends a lot of bogus ARP request and reply packets to the device or
triggers ARP Miss packets on the device. The device will be busy processing these
ARP packets, and cannot process valid service packets.
A typical scenario where ARP Miss packets are triggered is as follows: An attack
uses tools to scan the devices on the local network segment or other network
segments, the S3700 searches for the corresponding ARP entries before responding
to the attacker. The MAC addresses corresponding to the destination IP addresses
of the packets do not exist; therefore, the ARP module of the S3700 sends ARP Miss
packets to the upper-layer software, requesting the upper-layer software to send ARP
request packets to obtain destination MAC addresses of the packets. If the attacker
sends a lot of scanning packets, a lot of ARP Miss packets will be generated.
ARP anti-spoofing can prevent unauthorized users; however, the ARP DoS attacks have
greater impact on networks.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
135