Arp Attack Defense Configuration; Introduction To Maximum Number Of Dynamic Arp Entries A Vlan Interface Can Learn; Introduction To Arp Attack Detection - 3Com 4500 PWR 26-Port Configuration Manual

37

ARP Attack Defense Configuration

ARP Attack Defense Configuration
Although ARP is easy to implement, it provides no security mechanism and thus is prone to netwo
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide
multiple features to detect and prevent such attacks. This chapter mainly introduces these features
Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can
Learn
To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on
S4500 series Ethernet switches (operating as gateways). That is, you can set the maximum number of
dynamic ARP entries that a
VLAN interface exceeds the specified upper limit, the VLAN interface stops learning ARP entries, thus
to avoid ARP flood attacks.
Introd uction to ARP Source MAC Address Consistency Check
An attacker may use the IP or MAC address of anot
packets. These ARP packets can cause other network devices to update the corresponding ARP
entries incorrectly, thus interrupting network traffic.
To prevent such attacks, you can configure ARP source MAC address consistency check on S4500
series Ethernet switches (operatin
AR packet is valid by checking the sender MAC address of the ARP packet against the source MA P
ad ress in the Ethernet header. d
If they are consi
If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is
not learned.

Introduction to ARP Attack Detection

Man-in-the- middle attack
According to the ARP design, after receiving an ARP response, a hos
the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the
ARP traffic in the network, but it also makes ARP spoofing possible.
In Figure 37-1, Host A communicates with Host C through a switch. To intercept the traffic between Host
A and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C
respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in
their ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will pass
through Host B which acts like a "man-in-the-middle" that may intercept and modify the communication
information. Such an attack is called man-in-the-middle attack.
VLAN interface can learn. If the number of ARP entries learned by the
g as gateways). With this function, the device can verify whether an
stent, the packet passes the check and the switch learns the ARP entry.
her host as the sender IP or MAC address of ARP
37-1
t adds the IP-to-MAC mapping of
rk
.
C