< Home

Defense Against ARP Flood Attacks

Attack Behavior

If a large number of ARP packets are broadcast on the network, the gateway cannot process other services due to CPU overload. Processing too many ARP packets will occupy considerable bandwidth, leading to network congestion and affecting network communication.

Security Policy

To defend against the preceding attacks, configure the following security policies on a switch:

  • ARP entry limit

    The switch limits the number of ARP entries that an interface can learn to prevent ARP entry overflow and improve ARP entry security.

  • ARP packet rate limit

    The switch counts ARP packets received in a specified period. If the number of ARP packets exceeds the limit, the switch does not process excess ARP packets to prevent ARP entry overflow.

  • Strict ARP learning

    The switch learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP Request packet attacks using ARP Reply packets that are in response to ARP Request packets sent by other devices.

  • ARP port-level protection

    The switch monitors the ARP packet rate based on ports. When the rate of ARP packets sent from one port to the control plane exceeds the specified threshold, the switch sends these ARP packets to the control plane through an independent channel. This function avoids attack impact on valid ARP packets. Alternatively, the switch can block the ARP packets on an attacked port for a certain period of time, instead of sending the packets through an independent channel.

  • ARP user-level protection

    The switch monitors the rate of ARP packets sent to the control plane based on users (MAC or IP addresses). When the rate of ARP packets from a user exceeds the specified threshold, the switch discards the packets for a certain period of time.

Some low-end fixed switches do not support ARP port-level or user-level protection.

Configuration Method

  • Configure the ARP entry limit.

    Set the maximum number of ARP entries that a specified interface can learn.
    <HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-limit maximum 20

  • Configure the ARP packet rate limit.

    Set the rate of source IP address-based timestamp suppression for ARP packets to 50 pps.

    <HUAWEI> system-view
[HUAWEI] arp speed-limit source-ip maximum 50

  • Configure strict ARP learning.

    Strict ARP learning can be configured globally or on a specified interface.

    • If strict ARP learning is configured both globally and on a specified interface, only the settings on the interface take effect.

    • If strict ARP learning is not configured on any interface, the global settings take effect.

    Enable strict ARP learning globally.
    <HUAWEI> system-view
[HUAWEI] arp learning strict
    Enable strict ARP learning on a specified interface.
    <HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp learning strict force-enable

  • Configure ARP port-level protection.

    ARP port-level protection is enabled by default and does not need to be manually configured. You can also configure the ARP packet rate limit.

    Configure the GE0/0/1 interface to allow a maximum of 50 ARP packets to pass through within 1 second. When the rate of ARP packets exceeds the limit, the interface keeps discarding ARP packets in 60 seconds.

    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 50 block-timer 60

  • Configure ARP user-level protection.

    ARP user-level protection is implemented based on users' MAC or IP addresses. To prevent valid addresses from being filtered out, remove valid interfaces (generally upstream or network-side interfaces) from the attack source tracing whitelist.

    <HUAWEI> system-view
[HUAWEI] cpu-defend policy antiatk
[HUAWEI-cpu-defend-policy-antiatk] auto-defend enable
[HUAWEI-cpu-defend-policy-antiatk] auto-defend threshold 30
[HUAWEI-cpu-defend-policy-antiatk] auto-defend attack-packet sample 5
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend trace-type source-portvlan
[HUAWEI-cpu-defend-policy-antiatk] undo auto-defend protocol tcp telnet ttl-expired igmp icmp dhcpv6 mld nd
[HUAWEI-cpu-defend-policy-antiatk] auto-defend action deny timer 300
[HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 1 interface gigabitethernet 1/0/1  //Add the uplink or network-side to the whitelist.
[HUAWEI-cpu-defend-policy-antiatk] auto-defend whitelist 2 interface gigabitethernet 2/0/0  //Add the uplink or network-side to the whitelist.
[HUAWEI-cpu-defend-policy-antiatk] quit
[HUAWEI] cpu-defend-policy antiatk  //Apply the attack defense policy to the main control board.
[HUAWEI] cpu-defend-policy antiatk global  //Apply the attack defense policy to all interface boards or the switch.
Parent Topic: ARP Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic