Access Network Switch FAQs

With the development of the access network technology, its related devices are also widely used in various fields, and there are also many problems, especially some problems such as ARP attacks, next we mainly analyze the solution to the access network switch problem. The mature telecom-level IP technology makes the integration of voice, data, video, mobile and other applications inevitable, and unified communication has become a development trend.

Network transformation with IP technology as the core and carrying a variety of new businesses to enhance competitiveness is the development direction of fixed network operators. However, due to the high degree of standardization, wide application, strong bandwidth capabilities, good scalability, mature technology, high cost-effectiveness of equipment, Ethernet technology provides good support for IP addresses, it has become the development trend of man and access network switches. However, due to the openness and wide application of Ethernet technology, it also brings about some security issues. Especially when the network is switched from the original single-service bearer to multi-service bearer, the impact of security issues becomes more and more obvious, and the business development and deployment have been gradually affected. Common attacks on access network switches include ARP "man-in-the-middle" attacks, IP/MAC spoofing attacks, and DHCP/ARP packet flood attacks.

ARP "man-in-the-middle" attack

According to the ARP protocol design, a host adds the correspondence between its IP address and MAC address to its ARP ing table even if the ARP response received by the host is not obtained by its own request. This reduces the amount of ARP Data Communication on the network, but also creates conditions for ARP spoofing.

Host A communicates with Host C through A Switch. At this time, if A hacker Host B) wants to listen to the communication between Host A and Host C, it can send forged ARP response packets to the two hosts respectively, enable Host A and Host C to use MAC_ B to update the table items corresponding to the IP address of the corresponding IP address in their ARP ing table. Since then, the seemingly "direct" communication between Host A and Host C is actually carried out indirectly through the Host where the hacker is located, that is, Host B acts as the "intermediary, information can be stolen and tampered. This attack method is called Man-In-The-Middle attack ".

IP/MAC spoofing attacks

Common spoofing types include MAC spoofing, IP spoofing, and IP/MAC spoofing. Hackers can forge the source address of a message to attack the attacker. Generally, the objective is to forge an identity or obtain privileges for IP/MAC, in addition, this method is also applied to DoS Deny of Service (DoS) attacks, seriously endangering network security. To prevent IP/MAC spoofing attacks, the H3C low-end Ethernet switch provides the IP Filter feature, the switch can force the source address that passes through a port to comply with the dynamically obtained DHCP Snooping table item or the records of static IP and MAC binding table items to prevent attackers from launching attacks by forging the source address. In addition, this function can also prevent network address conflicts caused by randomly specified IP addresses.

DHCP flood attacks

DHCP flood attacks refer to attacks where malicious users use tools to forge a large number of DHCP packets and send them to the server. On the one hand, malicious exploitation of IP resources makes legitimate users unable to obtain IP resources. On the other hand, if DHCP Snooping is enabled on the switch, the received DHCP packet is sent to the CPU. Therefore, a large number of DHCP packets attack devices, which may cause the DHCP server to run at a high load and even paralyze the devices.

ARP flood attacks

ARP flood is similar to DHCP flood. Malicious users send a large number of ARP packets, causing ARP table entry overflow on the L3 device and affecting normal user forwarding.

Security Protection

For the preceding attack methods, the H3C access network switch Solution uses dhcp snooping on the user access side to provide corresponding preventive measures.

DHCP Snooping table item Creation

After the DHCP Snooping function is enabled, the H3C access network switch can listen to the DHCP-REQUEST broadcast packets and DHCP-ACK single broadcast packets to record the IP address obtained by the user according to the different characteristics of the device. Currently, the DHCP Snooping table of a vswitch records the following information: IP address assigned to the client, MAC address of the client, VLAN information, port information, and lease information.

Working Mechanism of ARP Intrusion Detection

To prevent ARP man-in-the-middle attacks, the access network switch can redirect received ARP requests and responses to the CPU. In combination with the security features of DHCP Snooping, it can determine the legitimacy of ARP packets and process them as follows. When the binding relationship between the source IP address and the source MAC address in the ARP packet matches the DHCP Snooping table or the manually configured static IP Address binding table, if the inbound port of the ARP packet and Its VLAN are the same as the DHCP Snooping table item or the manually configured static IP binding table item, the ARP packet is forwarded for processing.

When the binding relationship between the source IP address and the source MAC address in the ARP packet does not match the DHCP Snooping table item or the manually configured static IP Address binding table item, or the ARP packet's inbound port, if the VLAN to which the inbound port belongs is inconsistent with the DHCP Snooping table item or the static IP binding table item configured manually, the ARP packet is invalid and is directly discarded, and the discarded information is printed through Debug to prompt the user.

Manually configure static IP binding table items

The DHCP Snooping table only records client information about Dynamically obtaining IP addresses through DHCP. If you manually configure a fixed IP address, information such as the IP address and MAC address will not be recorded in the DHCP Snooping table, therefore, you cannot use ARP Intrusion Detection Based on DHCP Snooping table items, resulting in a failure to access the external network. To allow users with valid and fixed IP addresses to access the network, the vswitch supports manual configuration of static IP binding table items, namely: the binding relationship between the user's IP address, MAC address, and the port connecting the user. So that the user's packets can be processed normally.