Overview of ARP Security

Definition

Address Resolution Protocol (ARP) security is a feature that protects devices from attacks that tamper with or forge ARP messages. ARP security implementation enhances device and network security.

Purpose

ARP is easy to use but lacks security protection mechanisms. Attackers may use ARP to attack network devices. The following ARP attacks exist on networks:

  • ARP spoofing attack

    Attackers send bogus ARP messages to modify ARP entries on gateways or valid hosts, interrupting the transmission of valid ARP messages.

  • ARP flooding attack

    Attackers forge and send to a device excessive ARP request messages and gratuitous ARP messages with IP addresses that cannot be mapped to MAC addresses. As a result, the device's ARP buffer overflows, and the device is incapable of caching valid ARP entries. In this case, valid ARP messages cannot be transmitted.

These ARP attacks pose a serious threat to the network security. ARP security offers various technologies to detect and protect against ARP attacks. Table 1 describes ARP security implementation in defense against ARP attacks.
Table 1 ARP security solutions

Attack Type

ARP Defense

Function Description

Benefits

ARP spoofing

Validity Check of ARP Packets

After receiving an ARP message, the device checks whether the source and destination MAC addresses in the Ethernet header are the same as those in the data field of the ARP message. If the source and destination MAC addresses in the Ethernet packet header are different from those in the Data field of the ARP message, the device discards the ARP message. Otherwise, the ARP message is allowed to pass through.

The ARP anti-spoofing function can effectively defend against attacks initiated using ARP messages, ensuring the security and reliability of network communication.

ARP flooding

Strict ARP Learning

A device learns only the ARP Response messages in response to the ARP Request messages sent by itself. This prevents attacks from ARP Request messages and ARP Response messages in response to the ARP Request messages sent by other devices.

The ARP anti-flooding function can effectively reduce the CPU load and prevent ARP entry overflow, ensuring the normal running of network devices.

ARP Entry Limit

The device limits the maximum number of ARP entries that an interface can learn to prevent ARP entry overflow and implement ARP entry security.

ARP Message Rate Limiting

The device counts the number of ARP messages received within a specified period. If the number of received ARP messages exceeds the threshold, the device ignores the excess ARP messages and does not process them, preventing ARP entry overflow.

ARP Miss Message Rate Limit

The device counts the number of ARP Miss messages received within a specified period. If the number of received ARP Miss messages exceeds the configured threshold, the device ignores the excess ARP Miss messages. This reduces the CPU load.

Gratuitous ARP Packet Discarding

After the function of discarding gratuitous ARP messages is enabled, the device directly discards gratuitous ARP messages to prevent ARP entry overflow.

Benefits

  • Deploying ARP security can effectively reduce the maintenance cost for ensuring the normal running of the network and the security of the network information.
  • ARP security provides users with a more secure network environment and more stable network services.
Parent Topic: ARP Security Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >