Updated: Dec 30, 2020
ARP (Address Resolution Protocol) security is a security feature against ARP attacks. It uses a series of measures such as restrictions and checks on ARP table entry learning and ARP packet processing to ensure the security of network devices. The ARP security feature can not only prevent attacks against the ARP protocol but also prevent attacks based on the ARP protocol such as network segment scanning attacks.
1. ARP attack:
The ARP protocol has the advantages of simplicity and ease of use, but because it does not have any security mechanism, it is easy to be used by attackers. In the network, common ARP attacks mainly include:
(1) ARP flood attack:
It is also called Denial of Service (DoS). There are mainly two scenarios:
①The equipment processing ARP packets and maintaining ARP table entries need to consume system resources. At the same time, in order to meet the requirements of ARP table entry query efficiency, generally, equipment will have specifications on the size of ARP table entries. Attackers take advantage of this and forge a large number of ARP packets with source IP address changes, causing the device's ARP table resources to be exhausted by invalid ARP entries, and legitimate users' ARP packets cannot continue to generate ARP entries, causing normal communication to be interrupted.
②When attackers use tools to scan hosts on this network segment or scan across network segments, they will send a large number of IP packets that cannot be resolved by the target IP address to the device, causing the device to trigger a large number of ARP Miss messages, generated and issued a large number of temporary ARP entries, and broadcast a large number of ARP request packets to parse the target IP address, causing the CPU (Central Processing Unit) to be overloaded.
(2) ARP spoofing attack:
It means that the attacker maliciously modifies the ARP table entries of the device or other user hosts in the network by sending forged ARP packets, causing abnormal packet communication between users or the network.
2. The harm of ARP attack:
ARP attacks have the following hazards:
①will cause the network connection is not stable and causes the user communication interrupt, causes serious economic loss.
②Use ARP spoofing to intercept user messages, and then illegally obtain account numbers and passwords for systems such as games, online banking, and file services, resulting in significant loss of benefits for the attacked.
3.ARP security methods:
(1) Solutions to ARP flooding attacks:
Part 1: ARP packet rate limit:
If the device processes all the received large numbers of ARP packets, the CPU may be overloaded and unable to process other services. Therefore, before processing, the device needs to limit the rate of ARP packets to protect CPU resources.
The device provides the following types of rate-limiting functions for ARP packets:
A) The speed limit of ARP message based on source MAC address or source IP address
B) ARP message speed limit for global, VLAN, and interface
①Speed limit of ARP message based on source MAC address or source IP address:
When the device detects that a user is sending a large number of ARP messages in a short period of time, ARP messages based on the source MAC address or source IP address can be configured for that user to limit the speed. If the number of ARP messages of the user exceeds the set threshold (ARP message speed limit) within 1 second, the ARP messages beyond the threshold are discarded.
②Limit the rate of ARP packets according to the source MAC address:
If a MAC address is specified, the rate of ARP packets with the specified source MAC address is limited according to the rate limit; if no MAC address is specified, the rate of ARP packets with each source MAC address is limited based on the rate limit.
③Limit the rate of ARP packets according to the source IP address:
If an IP address is specified, the rate of ARP packets with the specified source IP address is limited according to the rate limit; if no IP address is specified, the rate of ARP packets with each source IP address is limited based on the rate limit.
④Limit the rate of ARP packets for the global, VLAN, and interface:
The device supports the configuration of ARP message speed limit value and speed limit time under global, VLAN, and interface. When ARP message speed limit value and speed limit time are configured simultaneously under global, VLAN, and interface, the device will first limit speed according to the interface, then according to VLAN, and finally according to the global speed limit.
In addition, the time period for blocking ARP packets can be specified under the interface. If the number of ARP packets received by a certain interface of the device within the ARP packet rate limit time exceeds the set threshold (ARP packet rate limit value), the ARP packets that exceed the threshold are discarded, and in the next period of time (that is, the time period during which ARP packets are blocked), all ARP packets received on this interface are continuously discarded.
①Global ARP packet rate limit: When an ARP attack occurs on the device, the number of ARP packets processed globally will be limited.
②Limiting the rate of ARP packets in a VLAN: When an ARP attack occurs on all interfaces in a VLAN, the number of ARP packets received in this VLAN will be limited. Configuring this function can ensure that the ARP learning of all interfaces in other VLANs is not affected.
③Limiting the rate of ARP packets for an interface: When an ARP attack occurs on an interface, the number of ARP packets received by the interface will be limited. Configuring this function can ensure that the ARP learning of other interfaces is not affected.