Updated: Dec 30, 2020
Strict learning of ARP entries
If a large number of users send a large number of ARP packets to the device in the same time period, or an attacker forges the ARP packets of normal users to send to the device, the following damages will be caused:
●The device processes a large number of ARP packets, which causes the CPU to be overloaded. At the same time, the device learns a large number of ARP packets, which may cause the device's ARP table entry resources to be exhausted by invalid ARP entries, causing legitimate users' ARP packets to fail to generate ARP entries. Thus the user cannot communicate normally.
●Forged ARP packets will incorrectly update the ARP entries of the device, causing users to fail to communicate normally.
To avoid the above-mentioned hazards, you can deploy the ARP table entry strict learning function on the gateway device. Strict learning of ARP entries means that only the reply message of the ARP request message sent by the device can trigger the device to learn ARP, and the ARP message sent by other devices to the device cannot trigger the device to learn ARP.so that most ARP message attacks can be rejected.
Normally, when UserA sends an ARP request message to Gateway, Gateway will respond to UserA with an ARP response message and add or update the ARP table entry corresponding to UserA. After the strict learning function of ARP entries is configured on the Gateway:
●For the ARP request message sent by UserA received by Gateway, Gateway does not add or update the ARP table entry corresponding to UserA. If the request message requests Gateway's MAC address, then Gateway will respond with an ARP reply message to UserA.
●If Gateway sends an ARP request message to UserB, after receiving the ARP response message corresponding to the request, Gateway will add or update the ARP table entry corresponding to UserB.
ARP table entry restrictions:
The ARP table entry restriction function is applied to the gateway device to limit the number of dynamic ARP table entries learned by an interface of the device. By default, the specification of the number of dynamic ARP entries that an interface can learn is consistent with the global ARP entry specification. After the ARP entry restriction function is deployed, if the dynamic ARP entries under the specified interface reach the maximum number of allowed learning, the interface will no longer be allowed to continue learning dynamic ARP entries, so as to ensure that the ARP table resource of the whole device will not be exhausted when an ARP attack is launched by a user host connected to an interface.
Forbid the interface to learn ARP entries
When a large number of dynamic ARP entries are learned under an interface, for security reasons, you can configure it to prohibit the dynamic ARP entry learning function of the interface. In this way, when the user host connected to this interface launches an ARP attack, the ARP table resources of the whole device can be avoided to be exhausted.
The function of prohibiting the interface from learning ARP entries in conjunction with the strict ARP entry learning function enables the device to perform more detailed control over the dynamic ARP learning on the interface.
Solutions to ARP spoofing attacks
There are many solutions to ARP spoofing attacks. One of them is introduced below the ARP packet validity check. The ARP packet legality check function can be deployed on access devices or gateway devices to filter packets with illegal MAC addresses and IP addresses. The device supports the following three inspections that can be combined in any combination.
● Source MAC address check:
The device will check whether the source MAC address in the ARP packet is consistent with the source MAC address in the header of the Ethernet data frame. If they are consistent, it will be considered legal, otherwise, the packet will be discarded;
● Destination MAC address check:
The device will check whether the destination MAC address in the ARP response packet is consistent with the destination MAC address in the Ethernet data frame header. If they are consistent, it will be considered legal, otherwise, the packet will be discarded;
● IP address check:
The device checks the source IP and destination IP addresses in the ARP packet. All 0s, all 1s, or multicast IP addresses are illegal and need to be discarded. For ARP reply messages, both the source IP and destination IP addresses are checked; for ARP request messages, only the source IP address is checked.
Check out part 1, part 2, and part 3 of this article: Study Notes for HCIE Exam on "Security Features" Part-1