How Can I Detect Whether ARP Attacks Are Occurring on the Device?

An ARP attack may have the following symptoms:

Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted.
The device has a high CPU usage or is disconnected from the NMS, the attached devices are disconnected from the network, the device frequently alternates between master and slave states, or its interface indicators blink fast red.
Ping responses are delayed, packets are lost, or the ping operation fails.

When you locate an ARP attack, first check the links, loops, and routes. After confirming that they are not the cause, perform the following steps. Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, record your actions and provide the record to technical support personnel.

Run the display cpu-defend statistics all command on the gateway to check the count of dropped ARP Request, ARP Reply, or ARP Miss messages.
- If the count of dropped ARP packets is 0, go to step 2.
- If the count of dropped ARP packets is not 0, the rate of ARP packets has exceeded the CPCAR rate limit and excess ARP packets are being discarded.
  - If a lot of ARP Miss messages are discarded, ARP Miss attacks may occur on the device. For the detailed troubleshooting procedure, see How Can I Handle an ARP Learning Failure Caused by ARP Miss Messages?.
  - If a lot of ARP Request or Reply packets are discarded, ARP Request or Reply packet attacks may occur on the device. For the detailed troubleshooting procedure, see What Do I Do If the Device Receives a Large Number of ARP Request or Reply Packets?.

Run the display arp all command on the gateway to check the user's ARP entry.

If the ARP entry exists, check whether the ARP entry of the user or gateway has been modified.

If the user's ARP entry on the gateway has been modified, ARP spoofing gateway attacks are occurring on the device.

Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of ARP Request packets.

Remove viruses or uninstall the attack tool after finding the attacker. Configure the anti-attack function on the gateway based on the site requirements.

Options	Remarks
Run the arp static command in the system view to configure static ARP entries.	If a few users are connected to the device, you can configure static ARP entries and bind the static ARP entry to the MAC address and IP address to prevent the IP addresses from being used by unauthorized users.
Run the arp anti-attack entry-check { fixed-mac \| fixed-all \| send-ack } enable command in the system view or interface view to configure fixed ARP.	fixed-mac: applies to the scenario where a user has a fixed MAC address but the user's access location frequently changes. When the user connects to the device from different interfaces, the interface information in the user's ARP entry on the device can be updated in real time. fixed-all: applies to the scenario where a user has a fixed MAC address and relatively unchanged access location. send-ack: applies to the scenario where a user's MAC address and access location frequently change.
Configure the blacklist or a blackhole MAC address entry so that packets from the attack source will be discarded.	-

Options

Remarks

Run the arp static command in the system view to configure static ARP entries.

If a few users are connected to the device, you can configure static ARP entries and bind the static ARP entry to the MAC address and IP address to prevent the IP addresses from being used by unauthorized users.

Run the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command in the system view or interface view to configure fixed ARP.

fixed-mac: applies to the scenario where a user has a fixed MAC address but the user's access location frequently changes. When the user connects to the device from different interfaces, the interface information in the user's ARP entry on the device can be updated in real time.

fixed-all: applies to the scenario where a user has a fixed MAC address and relatively unchanged access location.

send-ack: applies to the scenario where a user's MAC address and access location frequently change.

Configure the blacklist or a blackhole MAC address entry so that packets from the attack source will be discarded.

If the gateway ARP entry of the user is modified, ARP bogus gateway attacks occur on the device.

Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of ARP Request packets.

Remove viruses or uninstall the attack tool after finding the attacker. Configure the anti-attack function on the gateway based on the site requirements.

Options	Remarks
Configure interface isolation on the downlink interfaces of the gateway to prevent users in the same VLAN from receiving ARP attack packets.	-
Run the arp anti-attack gateway-duplicate enable command in the system view to enable the ARP gateway anti-collision function, and run the arp gratuitous-arp send enable command to enable the device to send gratuitous ARP packets so that the correct gateway address can be sent to users.	-
Configure the blacklist or a blackhole MAC address entry so that packets from the attack source will be discarded.	-

If other users' ARP entries of the user are modified, go to the next step.

Obtain packet headers on the interface connecting the device to the user, and locate the attack source according to the source addresses of the ARP Request packets.

Remove viruses or uninstall the attack tool after finding the attacker. Configure the anti-attack function on the access device based on site requirements.

Options	Remarks
Run the arp anti-attack check user-bind enable command in the interface or VLAN view to enable dynamic ARP inspection. (The device matches ARP packets against the binding table.)	Dynamic ARP inspection is used to prevent man-in-the-middle attacks and theft on authorized user information. NOTE: This function is applicable only when a binding table is configured. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user.
Run the arp anti-attack packet-check { ip \| dst-mac \| sender-mac } ^* command in the system view to enable ARP packet validity check and specify check items.	-
Configure the blacklist or a blackhole MAC address entry so that packets from the attack source will be discarded.	-

If no ARP entry is displayed, perform the following step:

Run the debugging arp packet interface interface-type interface-number command in the user view to enable the ARP packet debugging function and check whether the device sends ARP Request packets and receives ARP Reply packets.

In the debugging information, the operation field indicates the protocol type (1: ARP Request; 2: ARP Reply).

If the device does not send an ARP Request packet, rectify the fault according to How Can I Handle an ARP Learning Failure Caused by ARP Miss Messages?.

If the device does not receive any ARP Reply packet, the ARP Reply packets sent by the remote device may be discarded by the CPCAR mechanism.

Options	Remarks
Run the display cpu-defend statistics packet-type arp-reply all command in the user view to check whether the Drop value of ARP Reply packets increases. If the Drop value keeps increasing, run the car command in the attack defense policy view to increase the CPCAR value for ARP Reply packets.	NOTICE: Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help. The attack defense policy can take effect only after it is applied.
Run the display arp anti-attack configuration arp-speed-limit command in the user view to check that the ARP packet rate limit is configured.	Run the arp speed-limit source-ip [ ip-address ] maximum maximum command in the system view to adjust the maximum rate of ARP packets based on source IP addresses. Run the arp speed-limit source-mac [ mac-address ] maximum maximum command in the system view to adjust the maximum rate of ARP packets based on source MAC addresses. Run the arp anti-attack rate-limit packet packet-number command in the system view, VLAN view, or interface view to adjust the maximum rate of ARP packets. In versions earlier than V200R003C00, the packet parameter is not supported on the device and does not need to be configured.

Options

Remarks

Run the display cpu-defend statistics packet-type arp-reply all command in the user view to check whether the Drop value of ARP Reply packets increases.

If the Drop value keeps increasing, run the car command in the attack defense policy view to increase the CPCAR value for ARP Reply packets.

NOTICE:

Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact technical support personnel for help.

The attack defense policy can take effect only after it is applied.

Run the display arp anti-attack configuration arp-speed-limit command in the user view to check that the ARP packet rate limit is configured.

Run the arp speed-limit source-ip [ ip-address ] maximum maximum command in the system view to adjust the maximum rate of ARP packets based on source IP addresses.

Run the arp speed-limit source-mac [ mac-address ] maximum maximum command in the system view to adjust the maximum rate of ARP packets based on source MAC addresses.

Run the arp anti-attack rate-limit packet packet-number command in the system view, VLAN view, or interface view to adjust the maximum rate of ARP packets.

In versions earlier than V200R003C00, the packet parameter is not supported on the device and does not need to be configured.

If the device receives ARP Reply packets, go to step 3.

Check that the remote device receives the ARP Request packet and sends an ARP Reply packet.

If the remote device is a Huawei device, perform the preceding operations on the device. If the remote device is a non-Huawei device, see the manual for the device.

If the fault persists, collect the following information and contact technical support personnel:
- Result of the preceding procedure
- Configuration file, logs, and alarms of the device