Common attacks and prevention measures in access switches

There are still many things worth learning about access switches. Here we mainly introduce common attacks and prevention measures in access switches. In the actual network, the uplink port of the access switch receives ARP packets from other devices and replies, the source IP address and source MAC address of these ARP packets are not in the DHCP Snooping table or static binding table.

To solve the ARP request and response packets received by the upstream port through ARP intrusion detection, the access switch supports configuring the ARP trust port to flexibly control the ARP packet detection function. All ARP packets from trusted ports are not detected. ARP packets from other ports are checked by checking the DHCP Snooping table or manually configured static IP binding table.

IP address filtering

The IP address filtering function is used by the vswitch to filter illegal IP packets through the DHCP Snooping table and the manually configured static IP Address binding table. After enabling this function on the port, the access switch first issues an ACL rule to discard all IP packets except DHCP packets. Also, check whether the DHCP Snooping trusted port function is enabled. If the DHCP response packet is not started, the DHCP response packet is discarded. Otherwise, the DHCP response packet is allowed to pass .) Next, issue an ACL rule to allow packets with the source IP address being the DHCP Snooping table item or the configured IP static binding table item to pass through.

Vswitches can filter IP packets in two ways.

Filter packets based on the source IP address. If the source IP address of the packet and the Access Switch Port Number of the received packet are consistent with the DHCP Snooping dynamic table item or the manual IP static binding table item, the packet is regarded as a valid message, allow it to pass; otherwise, the message is considered illegal and discarded directly.

Filter messages based on the source IP address and source MAC address. If the source IP address, source MAC address, and switch port number of the received packet are consistent with the DHCP Snooping dynamic table or the IP static binding table manually configured, the message is regarded as a valid message and allowed to pass. Otherwise, the message is regarded as invalid and discarded directly.

DHCP/ARP packet Speed Limit Function

To prevent flood attacks of DHCP packets, the access switch supports configuring the speed limit function for DHCP/ARP packets on the port. After this function is enabled, the access switch collects statistics on the number of DHCP/ARP packets received by the port per second. If the number of packets received per second exceeds the set value, this port is considered to be under attack when it is in the speeding status ). In this case, the switch closes the port so that it no longer receives any packets, so as to prevent the device from being attacked by a large number of packets.

At the same time, the device supports configuring the port status automatic recovery function. For a port configured with the packet speed limit function, after it is disabled by the access switch due to speeding, it can be automatically restored to the enabled status after a period of time.