< Home

Defense Against IP Address Spoofing Attacks

Attack Behavior

As networks continue to increase in scale, many attackers are forging source IP addresses to initiate network attacks. Such attacks are called IP address spoofing attacks. Some attackers steal the IP addresses of authorized users to obtain network access rights and access networks. As a result, authorized users are unable to access networks, or information is leaked.

Security Policy

IP Source Guard (IPSG) filters source IP addresses based on Layer 2 interfaces to prevent network access of malicious hosts that use stolen IP addresses. In addition, IPSG prevents unauthorized hosts from accessing or attacking networks using forged IP addresses.

IPSG checks IP packets on Layer 2 interfaces against a binding table that contains the binding relationships of source IP addresses, source MAC addresses, VLANs, and inbound interfaces. Packets matching the binding table are forwarded, and other packets are discarded.

Static and dynamic binding tables are available.
  • Static binding table-based IPSG is applicable to a LAN with only a few hosts using static IP addresses.
  • Dynamic binding table-based IPSG is applicable when a large number of hosts reside on a LAN or hosts obtain IP addresses through DHCP.

Configuration Method

  • Configure static binding table-based IPSG.

    Static binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type. Use IPv4 as an example here.

    <HUAWEI> system-view
[HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001  //Create a static binding entry.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable  //Enable IPSG on an interface or VLAN as required.
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm enable  //Enable the IP packet check alarm function.
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm threshold 200  //An alarm is generated when the packet discarding threshold reaches 200.
[HUAWEI-GigabitEthernet1/0/1] quit

  • Configure dynamic binding table-based IPSG.

    Dynamic binding entries include IPv4 and IPv6 entries. Choose one type of entries according to your network type. Assume that IPv4 hosts obtain IP addresses through DHCP and DHCP snooping can be configured to generate DHCP snooping dynamic binding entries.

    <HUAWEI> system-view
[HUAWEI] dhcp enable 
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable  //Enable IPSG on an interface or VLAN as required.
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm enable  //Enable the IP packet check alarm function.
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind alarm threshold 200  //An alarm is generated when the packet discarding threshold reaches 200.
[HUAWEI-GigabitEthernet1/0/1] quit
Parent Topic: Control Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >