After understanding the basic working principle of ARP, let's take a look at how to ensure ARP security. In the network, common ARP attacks mainly include:
ARP flooding attacks, also called denial of service attacks (DoS), mainly exist in two scenarios:
The equipment processing ARP packets and maintaining ARP table entries consume system resources. At the same time, in order to meet the requirements of ARP table entry query efficiency, generally, equipment will have specifications on the size of ARP table entries. Attackers take advantage of this and forge a large number of ARP packets with source IP address changes, causing the device's ARP table resources to be exhausted by invalid ARP entries, and legitimate users' ARP packets cannot continue to generate ARP entries, causing normal communication to be interrupted.
When attackers use tools to scan hosts on this network segment or scan across network segments, they will send a large number of IP packets that cannot be resolved by the target IP address to the device, causing the device to trigger a large number of ARP Miss messages and generate and deliver a large number of temporary ARP entries. And broadcast a large number of ARP request packets to parse the target IP address, causing the CPU (Central Processing Unit) to be overloaded.
An ARP spoofing attack means that an attacker maliciously modifies the ARP table entries of the device or other user hosts in the network by sending forged ARP packets, causing abnormal communication between users or the network.
ARP security application scenarios
Prevent ARP flooding attacks: Users on the LAN connection to the Gateway to access the Internet through SwitchA and SwitchB.
When too many ARP packets appear on the network, the CPU load of the gateway device will increase, which affects the normal processing of other services of users by the device. On the other hand, too many ARP packets in the network will occupy a lot of network bandwidth, cause network congestion, and affect the normal operation of the entire network communication. As shown below:
To avoid the above-mentioned hazards, the gateway device can be deployed to prevent ARP flooding attacks, including the ARP packet rate limit function, the ARP Miss message rate limit function, the ARP entry strict learning function, and the ARP entry limit function.
• After deploying the ARP packet rate limit function, Gateway will count the number of ARP packets received. If the number of ARP packets exceeds the configured threshold (ARP packet rate limit) within a certain period of time, the ARP packets that exceed the threshold are discarded. This prevents the device from processing a large number of ARP packets and causing CPU overload.
• After deploying the ARP Miss message rate limit function, Gateway will count the number of ARP Miss messages. If the number of ARP Miss messages exceeds the configured threshold (ARP Miss message rate limit) within a certain period of time, the excess ARP Miss messages will be ignored, and Gateway will discard the IP packets that trigger ARP Miss messages. This can prevent the Gateway from processing a large number of IP packets that cannot be resolved by the target IP address and causing the CPU to overload.
• After deploying the ARP table entry strict learning function, Gateway only learns the response messages of the ARP request messages sent by itself, and does not learn the ARP messages that other devices actively send to the Gateway. This prevents Gateway from learning a large number of ARP messages. As a result, ARP entry resources are exhausted by invalid ARP entries.
• After the ARP entry restriction function is deployed, Gateway will limit the number of dynamic ARP entries learned by each interface. When the number of dynamic ARP entries under the specified interface reaches the maximum number of allowed learning, no new dynamic ARP entries are allowed. This can prevent a user host connected to an interface from launching an ARP attack and causing the ARP table resources of the entire device to be exhausted.
Prevent ARP spoofing attacks
Users such as UserA, User B, and User C in the LAN are connected to the Gateway to access the Internet through Switch access. Under normal circumstances, after UserA, UserB, and User C go online, corresponding ARP entries will be created on UserA, UserB, UserC, and Gateway through mutual ARP messages. At this time, if an attacker tampers with the Gateway or the ARP table entries on UserA, UserB, and UserC by sending forged ARP messages in the broadcast domain, the attacker can easily steal the information of UserA, UserB, and UserC or block the normal access of UserA, UserB, and User C to the network.
In order to avoid the above hazards, anti-ARP spoofing attack functions can be deployed on the gateway device, including the ARP table item curing function, ARP table item strict learning function, sending free ARP message, and other functions.
• After deploying the ARP entry curing function, after the Gateway learns ARP for the first time, it no longer allows users to update this ARP entry or can only update part of the ARP entry information, or by sending unicast ARP request messages. In this way, the legality of the updated ARP entry packet is confirmed, which can prevent attackers from forging ARP packets to modify the ARP entries of other users on the gateway.
• After deploying the ARP entry strict learning function, Gateway only learns the response packets of the ARP request packets it sends to UserA, UserB, or User C, and does not learn the ARP packets that the attacker actively sends to Gateway. In addition, the ARP message sent by the attacker is not allowed to update the existing ARP entry on the Gateway, which can prevent the attacker from pretending to be other users to modify the corresponding ARP entry on the gateway.
• After deploying the function of sending gratuitous ARP packets, Gateway actively sends users an ARP request packet with its own IP address as the target IP address, and regularly updates the gateway MAC address of the user's ARP table entry. This prevents the user's packets from being forwarded to the gateway normally or being eavesdropped on by malicious attackers.