2-1
2
ARP Attack Defense Configuration
ARP Attack Defense Configuration
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide
multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can
Learn
To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on
S4500 series Ethernet switches (operating as gateways). That is, you can set the maximum number of
dynamic ARP entries that a VLAN interface can learn. If the number of ARP entries learned by the
VLAN interface exceeds the specified upper limit, the VLAN interface stops learning ARP entries, thus
to avoid ARP flood attacks.
Introduction to ARP Source MAC Address Consistency Check
An attacker may use the IP or MAC address of another host as the sender IP or MAC address of ARP
packets. These ARP packets can cause other network devices to update the corresponding ARP
entries incorrectly, thus interrupting network traffic.
To prevent such attacks, you can configure ARP source MAC address consistency check on S4500
series Ethernet switches (operating as gateways). With this function, the device can verify whether an
ARP packet is valid by checking the sender MAC address of the ARP packet against the source MAC
address in the Ethernet header.
z
If they are consistent, the packet passes the check and the switch learns the ARP entry.
z
If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is
not learned.
Introduction to ARP Attack Detection
Man-in-the-middle attack
According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of
the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the
ARP traffic in the network, but it also makes ARP spoofing possible.
In
Figure 2-1
, Host A communicates with Host C through a switch. To intercept the traffic between Host
A and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C
respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in
their ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will pass
through Host B which acts like a “man-in-the-middle” that may intercept and modify the communication
information. Such an attack is called man-in-the-middle attack.