Huawei Quidway S3700 Series Configuration Manual page 163

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Applicable Environment
As shown in
Table 4-2 ARP anti-spoofing scenarios and methods
Scenario
Self-
protection
ARP
gateway anti-
collision
Issue 01 (2011-07-15)
Table 4-2, the S3700 provides various methods to prevent ARP spoofing attacks.
Description
An ARP spoofing attack is initiated
by modifying ARP entries.
The attacker sends an ARP packet in
which the source IP address in the
ARP packet header is the gateway
address to the host. The host changes
the gateway MAC address to the
MAC address of the attacker. The
host then sends ARP packets to the
attacker.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
Measures Taken by S3700
The S3700 enhances the ARP self-
protection capability, including:
l Strict ARP entry learning: The
S3700 learns only the reply
packets of the locally sent ARP
request packets.
l Defense against address spoofing:
The S3700 maintains fixed ARP
entries, and checks packets
against fixed MAC addresses,
interfaces, and VLAN IDs. In
addition, the S3700 can prevent
address spoofing attacks by using
the acknowledgment mechanism.
l ARP learning triggered by
DHCP: When the DHCP server
assigns an IP address to a user, the
S3700 sends a DHCP ACK
packet to the user. In addition, the
S3700 obtains the MAC address
of the user and generates the ARP
entry corresponding to the IP
address. The S3700 does not need
to learn ARP entries from ARP
packets; therefore, the attacker
cannot initiate ARP attacks.
The S3700 functions as the gateway
and discards the ARP packet in which
the source IP address is its own IP
address.
This method is applicable only when
the ARP packets of all hosts are
forwarded by the gateway.
150