Huawei Quidway S3700 Series Configuration Manual page 153

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Table 4-1 ARP DoS attack defense scenarios and methods
Packet
Type
ARP request
packet
ARP Miss
packet
Gratuitous
ARP packet
Pre-configuration Tasks
Before configuring ARP DoS attack defense, complete the following task:
l
Data Preparation
To configure ARP DoS attack defense, you need the following data.
Issue 01 (2011-07-15)
Scenario
l An attacker sends a lot of ARP
request packets to the S3700. As
a result, the CPU usage of the
S3700 is high and ARP entry table
overflows.
An attack sends a lot of IP sweeping
packets with invalid destination
MAC addresses to the S3700. As a
result, the S3700 generates a lot of
ARP Miss packets and temporary
ARP entries.
The S3700 functions as the gateway
and sends gratuitous ARP packets to
the hosts in a VLAN, requesting the
hosts to update the gateway MAC
address. This prevents malicious
modification of the gateway MAC
address.
If an attack sends a lot of fake
gratuitous ARP packets, the CPU of
the S3700 will be overloaded.
Setting the parameters of the link layer protocol and the IP addresses for interfaces so that
the link layer protocol is Up
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
Measures Taken by S3700
The general idea is to suppress the
ARP packets:
l Limit the ARP packet rate based
on source MAC addresses and
source IP addresses.
l Limit the rate of ARP packets in
the system, in a VLAN, or on an
interface.
l Limit the number of dynamic
ARP entries learned by an
interface and limit the number of
ARP request and reply packets
received by the attack interface.
The S3700 prevents such attacks as
follows:
l Limit the ARP Miss packet rate
based on source MAC addresses
and source IP addresses.
l Limit the rate of ARP Miss
packets in the system, in a VLAN,
or on an interface.
After identifying an attack, the
S3700 discards gratuitous ARP
packets.
140