Welcome to IE-LAB!

Generic filters
Generic filters

HCIE Basic protection against ARP attacks

In order to avoid the various hazards caused by the above ARP attacks, ARP security features are provided for different attack types

A variety of solutions.

For ARP flood attacks, the following methods can be used for basic protection:

1. By limiting the rate of ARP packets, it is recommended to deploy it on the gateway device to prevent the CPU from being overloaded due to a large number of ARP packets and other services cannot be processed.

2. By deploying ARP Miss message speed limit on the gateway device, it prevents IP packets from being parsed normally due to receiving a large number of destination IPs, triggering a large number of ARPMiss messages and causing excessive CPU load.

3. By deploying unsolicited ARP messages on the gateway device and actively discarding them, it prevents the device from overloading the CPU due to processing a large number of free ARP messages.

4. Deploy strict learning control of ARP entries on the gateway device, and set that only the response message of the ARP request message actively sent by the local device can trigger the device to perform ARP learning. This can effectively prevent the device from receiving a large number of ARP attack packets, causing the ARP table to be filled with invalid ARP entries.

5. Deploy ARP entry restrictions on the gateway device, setting the device interface can only learn not to exceed the maximum number of dynamic ARP entries. It can prevent the ARP table resources of the entire device from being exhausted when a user host connected to an interface initiates an ARP attack.

6. Deploy the function of prohibiting the interface from learning ARP entries on the gateway device. By prohibiting an interface from learning ARP entries, it prevents the ARP attacks initiated by users connected to the interface from causing the entire device’s ARP table resources to be exhausted .

For ARP table spoofing attacks, the following methods can be used:

1. By deploying the ARP entry solidification function on the gateway device, after the device learns ARP for the first time, it will adopt the following methods to restrict entry update: users are no longer allowed to update this ARP entry, only this ARP Part of the information of the entry, or confirm it by sending an ARP request message, to prevent the attacker from forging the ARP message to modify the content of the normal user’s ARP entry. The ARP entry curing mode is generally divided into three modes: fixed-all mode, fixed-mac mode and send-ack mode.

2. Deploy dynamic ARP detection on the access device. After receiving the ARP packet, the device compares the source IP and source MAC of the ARP packet, the interface and VLAN information of the received ARP packet with the binding information If the information matches, it is considered a legitimate user and the user’s ARP packets are allowed to pass, otherwise it is considered as an attack packet, and the ARP packet is discarded. This method is only applicable when DHCP Snooping has been deployed.

3. Deploy the unsolicited ARP packet active discarding function on the gateway device. By actively discarding the gratuitous ARP packet, the device can prevent the device from receiving a large number of forged gratuitous ARP packets, resulting in incorrect update of ARP entries and legitimate users’ communication traffic. Interrupt.

4. Deploy the MAC address consistency check of ARP packets on the gateway device. Through the MAC address consistency check function of ARP packets, you can prevent the source and destination MAC addresses in the Ethernet data frame and the source and destination in the ARP packet data area. ARP spoofing attack where the destination MAC address is inconsistent.

5. The strict learning function of this ARP entry is deployed on the gateway device. After this function is turned on, only the response message of the ARP request message actively sent by the device can trigger the learning of the local device, while the ARP message sent by other devices The device cannot be triggered to learn ARP. It is used to prevent the device from receiving fake ARP packets, causing ARP entry update errors, and interrupting the communication traffic of legitimate users.

Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .

Please follow us if you like our articles.

visit us: http://ielab.network

Facebook : https://www.facebook.com/ielab.network/

Linkedin: https://www.linkedin.com/company/ielabnetwork/

WhatsApp: +8617782638871


error: Content is protected !!
× How can I help you?