< Home

SECE/4/ARPMISS

Message

SECE/4/ARPMISS: Attack occurred. (AttackType=Arp Miss Attack, SourceInterface=[STRING], SourceIP=[STRING], AttackPackets=[ULONG] packets per second)

Description

The rate exceeds the global ARP Miss rate limit.

Parameters

Parameter Name Parameter Meaning

SourceInterface

Indicates the name of an interface.

SourceIP

Indicates the source IP address of attack packets.

AttackPackets

Indicates the rate of attack packets, in pps.

Possible Causes

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. When the rate of ARP Miss messages exceeds the global ARP Miss rate limit, the device generates the alarm.

Procedure

  1. Run the reset cpu-defend statistics command to clear statistics on the ARP Miss messages sent to the CPU.
  2. Wait for 1 minute, and run the display cpu-defend statistics all command to check the number of ARP Miss messages sent to the CPU within 1 minute. Check whether a large number of packets are discarded:

    • If so, go to step 3.

    • If not, verify that the network is secure and run the info-center source SECE channel 4 log state off command to disable the device from sending SECE log information.

  3. Locate the attack source based on the IP address in the log information.

    Check whether the attacker is infected with viruses.

    • If so, you are advised to remove viruses from the user host. You can also add the address of the user to the blacklist or configure a blackhole MAC address entry to discard ARP request packets sent by the attacker.

    • If not, go to step 4.

  4. Run the display arp-miss speed-limit source-ip command to display the configuration of rate limit on ARP Miss message based on the source IP address.
  5. Run the arp-miss speed-limit source-ip [ ip-address ] maximum 0 command to configure the device not to limit the rate of ARP Miss messages based on source the IP address.
  6. If the log is frequently generated, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.
Parent Topic: SECE
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >