< Home

Defense Against ARP Spoofing Attacks

Attack Behavior

In ARP spoofing attacks, attackers send fake ARP packets to modify ARP entries on gateways or valid hosts. As a result, valid ARP packets cannot be transmitted.

  • Attackers send forged ARP packets to gateways so that gateways learn incorrect user ARP entries.

  • Attackers send forged ARP packets to other users so that the users learn incorrect ARP entries.

  • Attackers send malformed ARP packets to switches so that the switches learn incorrect ARP entries.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

  • ARP entry fixing

    The switch supports the following ARP entry fixing modes, which are applicable to different scenarios and mutually exclusive:

    • The fixed-mac mode is applicable when user MAC addresses are fixed but user access locations change frequently. When a user connects to a different interface on the switch, the switch updates interface information in the ARP entry of the user in a timely manner.
    • The fixed-all mode is applicable when user MAC addresses and access locations are fixed.
    • The send-ack mode is applicable when user MAC addresses and access locations both change frequently.

  • Dynamic ARP Inspection (DAI)

    A DAI-enabled switch matches the source IP address, source MAC address, interface number, and VLAN ID of a received ARP packet against a binding database. If the ARP packet matches an entry in the binding database, the switch considers the ARP packet valid and allows it to pass through. If the ARP packet does not match any entry, the switch considers the ARP packet as an attack packet and discards it. A binding database is dynamically generated using DHCP snooping or manually configured.

  • ARP gateway anti-collision

    To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway switch when user hosts directly connect to the gateway: If an ARP packet received by the switch meets either of the following conditions:

    • The source IP address of the ARP packet is the same as the IP address of the VLANIF interface matching the inbound interface of the packet.
    • The source IP address of the ARP packet is the virtual IP address of the inbound interface, but the source MAC address of the ARP packet is not the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group.

    The switch considers that the ARP packet conflicts with the gateway address, generates an ARP anti-collision entry, and discards ARP packets with the same source MAC address and VLAN ID in a specified period. This prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

  • Gratuitous ARP packet discarding

    After confirming that an attack is launched using gratuitous ARP packets, configure the gateway switch to discard gratuitous ARP packets.

  • Gratuitous ARP packet sending

    Configure the gateway switch to send gratuitous ARP packets to periodically update the ARP entries of authorized users so that the ARP entries contain the correct gateway switch address.

  • MAC address consistency check in an ARP packet

    The switch checks whether the source and destination MAC addresses in a received ARP packet are the same as those in the Ethernet frame header. If the source or destination MAC address in the ARP packet is different from that in the Ethernet frame header, the switch considers the ARP packet as an attack packet and discards it. If the MAC addresses are the same, the switch performs ARP learning. This effectively protects the network or switch against malformed ARP packet attacks.

  • ARP packet validity check

    To prevent attacks by invalid ARP packets, enable ARP packet validity check on an access or gateway switch to filter out ARP packets with invalid IP or MAC addresses. The switch checks the validity of an ARP packet based on the following items that can be combined freely:

    • IP address: The switch checks the source and destination IP addresses in the ARP packet. If the source or destination IP address is all 0s, all 1s, or a multicast IP address, the switch discards the packet as an invalid packet. The switch checks both the source and destination IP addresses in an ARP Reply packet but checks only the source IP address in an ARP Request packet.
    • Source MAC address: The switch compares the source MAC address in the ARP packet with that in the Ethernet frame header. If they are the same, the switch considers the packet valid. If they are different, the switch discards the packet.
    • Destination MAC address: The switch compares the destination MAC address in the ARP packet with that in the Ethernet frame header. If they are the same, the switch considers the packet valid. If they are different, the switch discards the packet.

  • ARP gateway protection

    Configure ARP gateway protection on the interface connecting the switch to the gateway to prevent attackers from forging the gateway.

  • Strict ARP learning

    Configure strict ARP learning to enable the switch to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the switch can defend against most ARP attacks.

  • ARP learning triggered by DHCP

    When many DHCP users connect to a gateway switch, the switch needs to learn and age many ARP entries, affecting switch performance. To address this issue, configure ARP learning triggered by DHCP on the gateway switch. When the DHCP server allocates an IP address for a user, the gateway switch generates an ARP entry for the user based on the DHCP ACK packet received on the VLANIF interface.

  • ARP proxy on a Virtual Private LAN Service (VPLS) network

    To prevent bogus ARP packets at the Pseudo Wire (PW) side from being broadcast to the Attachment Circuit (AC) side on a VPLS network, enable ARP proxy over VPLS on a Provider Edge (PE).

Configuration Method

  • Configure ARP entry fixing.

    Enable ARP entry fixing and specify the fixed-mac mode.

    <HUAWEI> system-view
[HUAWEI] arp anti-attack entry-check fixed-mac enable  //Configure ARP entry fixing globally or on a VLANIF interface as required.

  • Configure DAI.

    Enable DAI on the GE0/0/1 interface.
    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable  //Configure DAI in the interface or VLAN view as required.

  • Configure ARP gateway anti-collision.

    Enable ARP gateway anti-collision.

    <HUAWEI> system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

  • Configure gratuitous ARP packet discarding.

    Enable the switch to actively discard gratuitous ARP packets globally.

    <HUAWEI> system-view
[HUAWEI] arp anti-attack gratuitous-arp drop  //Configure gratuitous ARP packet discarding globally or on a VLANIF interface as required.

  • Configure gratuitous ARP packet sending.

    Enable the switch to send gratuitous ARP packets on VLANIF 10.

    <HUAWEI> system-view
[HUAWEI] interface vlanif 10  
[HUAWEI-Vlanif10]  arp gratuitous-arp send enable  //Configure gratuitous ARP packet sending globally or on a VLANIF interface as required.

  • Configure MAC address consistency check in an ARP packet.

    Enable MAC address consistency check in an ARP packet on a specified interface.
    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp validate source-mac destination-mac

  • Configure ARP packet validity check.

    Enable ARP packet validity check and configure the switch to check the source MAC address in an ARP packet.

    <HUAWEI> system-view
[HUAWEI] arp anti-attack packet-check sender-mac

  • Configure ARP gateway protection.

    Enable ARP gateway protection on the GE1/0/1 interface and set the protected gateway IP address to 10.10.10.1.

    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp filter source 10.10.10.1

  • Configure strict ARP learning.

    Enable strict ARP learning on VLANIF 100.
    <HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable  //Configure strict ARP learning globally or on a VLANIF interface as required.

  • Configure ARP learning triggered by DHCP.

    Enable ARP learning triggered by DHCP on VLANIF 100.

    <HUAWEI> system-view
[HUAWEI] vlan batch 100
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning dhcp-trigger

  • Configure ARP proxy on a VPLS network.

    Enable ARP proxy on a VPLS network.

    <HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable
[HUAWEI] arp over-vpls enable
Parent Topic: ARP Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >