Checking Source Mac Addresses Of Arp Packets - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Suppression of ARP Miss Packets Based on the Source Address
When a host sends a large number of IP packets whose destination IP address cannot be resolved
to attack the device, the S3700 suppresses the ARP Miss packets with the specified source IP
address.
If a large number of IP packets whose destination IP address cannot be resolved are sent to the
S3700 from a source IP address, the ARP Miss packets are triggered. The S3700 collects statistics
on the ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in
a period and the triggering rate exceeds the threshold, the S3700 considers that an attack occurs.
The S3700 delivers ACL rules for the first 16 source addresses and discards IP packets from
these source addresses within a certain period of time (50s by default). For IP packets from other
source addresses, the S3700 controls the packet rate according to the rate limit.
Defense Against ARP Man-in-the-Middle Attacks
A man-in-the-middle on the network may send a packet carrying its own MAC address and the
IP address of the server to the client. The client learns the MAC address and IP address contained
in the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middle
sends a packet carrying its own MAC address and the IP address of the client to the server. The
server can learn the IP address and MAC address of the man-in-the-middle and consider the
man-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchanged
between the server and the client.
To prevent man-in-the-middle attacks, you can configure the S3700 to check the ARP packets
according to the binding table. Only the packets that match entries in the binding table can be
forwarded; the other packets are discarded.
Rate Limit on ARP Packets and ARP Miss Packets
The S3700 limits the rate of sending ARP packets or ARP Miss packets globally, based on the
interface, or based on the VLAN ID. This prevents a large number of ARP packets or ARP Miss
packets from being sent to the security module. The performance of the system is not degraded.

4.3 Checking Source MAC Addresses of ARP Packets

If the source MAC address in the ARP packet header is inconsistent with the source MAC address
in the Ethernet frame header, the ARP packet is considered as an attack packet. Such attack
packets can be prevented by checking the source MAC addresses of the packets.
Applicable Environment
After receiving an ARP packet, the S3700 checks validity of the ARP packet, including:
l
l
l
l
l
l
The S3700 discards invalid packets. The packet with different source MAC addresses in the
ARP packet header and Ethernet frame header is possibly an attack packet although it is allowed
Issue 01 (2011-07-15)
Packet length
Source MAC address in the Ethernet frame header
ARP request type and ARP reply type
Hardware address length
Protocol address length
Whether the ARP packet is an Ethernet frame
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
138