Effectively blocks ARP man-in-the-middle attacks

The mature telecom-level IP technology makes the integration of voice, data, video, mobile and other applications inevitable, and unified communication has become a development trend. Network transformation with IP technology as the core and carrying a variety of new businesses to enhance competitiveness is the development direction of fixed network operators. Due to the high degree of standardization, wide application, strong bandwidth provision ability, good scalability, mature technology, high cost-effectiveness of equipment, and good support for IP, Ethernet technology has become the development trend of man and access networks. However, due to the openness and wide application of Ethernet technology, it also brings about some security issues. Especially when the network is switched from the original single-service bearer to multi-service bearer, the impact of security issues becomes more and more obvious, and the business development and deployment have been gradually affected.

Common attacks on access networks include ARP "man-in-the-middle" attacks, IP/MAC spoofing attacks, and DHCP/ARP packet flood attacks.

Network Attack

ARP "man-in-the-middle" attack

According to the ARP protocol design, a host adds the correspondence between its IP address and MAC address to its ARP ing table even if the ARP response received by the host is not obtained by its own request. This reduces the amount of ARP Data Communication on the network, but also creates conditions for ARP spoofing.

As shown in, Host A and Host C communicate through A Switch. At this time, if A hacker (Host B) wants to listen to the communication between Host A and Host C, it can send forged ARP response packets to the two hosts respectively, enable Host A and Host C to use MAC_ B to update the table items corresponding to the IP address of the corresponding IP address in their ARP ing table. Since then, the seemingly "direct" communication between Host A and Host C is actually carried out indirectly through the Host where the hacker is located, that is, Host B acts as the "intermediary, information can be stolen and tampered. This attack is called a Man-In-The-Middle attack ".

　　

 

IP/MAC spoofing attacks common types of spoofing attacks include MAC spoofing, IP spoofing, and IP/MAC spoofing. Hackers can forge the source address of the packets to perform attacks, the objective is generally to forge an identity or obtain privileges against IP/MAC. In addition, this method is also applied to DoS (Denial of Service) attacks, seriously endangering network security.

To prevent IP/MAC spoofing attacks, the H3C low-end Ethernet switch provides the IP Filter feature, the switch can force the source address that passes through a port to comply with the dynamically obtained DHCP Snooping table item or the records of static IP and MAC binding table items to prevent attackers from launching attacks by forging the source address. In addition, this function can also prevent network address conflicts caused by randomly specified IP addresses.

DHCP flood attacks

DHCP flood attacks refer to attacks where malicious users use tools to forge a large number of DHCP packets and send them to the server. On the one hand, malicious exploitation of IP resources makes legitimate users unable to obtain IP resources. On the other hand, if DHCP Snooping is enabled on the switch, the received DHCP packet is sent to the CPU. Therefore, a large number of DHCP packets attack devices, which may cause the DHCP server to run at a high load and even paralyze the devices.

ARP flood attacks are similar to DHCP flood attacks. Malicious users send a large number of ARP packets, causing ARP table overflow on L3 devices and affecting normal user forwarding.

Security Protection

For the preceding attack methods, the H3C Access Network Solution uses dhcp snooping on the user access side to provide corresponding preventive measures.

DHCP Snooping table item Creation

After the DHCP Snooping function is enabled, the H3C access switch can listen to the DHCP-REQUEST broadcast packets and DHCP-ACK single broadcast packets to record the IP address obtained by the user according to different characteristics of the device. Currently, the DHCP Snooping table of a vswitch records the following information: IP address assigned to the client, MAC address of the client, VLAN information, port information, and lease information.

ARP Intrusion Detection

Working Mechanism of ARP Intrusion Detection

To prevent ARP man-in-the-middle attacks, the access switch can redirect the received ARP (request and response) packets to the CPU. In combination with the security features of DHCP Snooping, it can determine the legitimacy of ARP packets and process them, the details are as follows.

When the binding relationship between the source IP address and the source MAC address in the ARP packet matches the DHCP Snooping table or the manually configured static IP Address binding table, if the inbound port of the ARP packet and Its VLAN are the same as the DHCP Snooping table item or the manually configured static IP binding table item, the ARP packet is forwarded for processing.

When the binding relationship between the source IP address and the source MAC address in the ARP packet does not match the DHCP Snooping table item or the manually configured static IP Address binding table item, or the ARP packet's inbound port, if the VLAN to which the inbound port belongs is inconsistent with the DHCP Snooping table item or the static IP binding table item configured manually, the ARP packet is invalid and is directly discarded, and the discarded information is printed through Debug to prompt the user.

　　

ARP Intrusion Detection

Manually configure static IP binding table items

The DHCP Snooping table only records client information about Dynamically obtaining IP addresses through DHCP. If you manually configure a fixed IP address, information such as the IP address and MAC address will not be recorded in the DHCP Snooping table, therefore, you cannot use ARP Intrusion Detection Based on DHCP Snooping table items, resulting in a failure to access the external network.

To allow users with valid and fixed IP addresses to access the network, the vswitch supports manual configuration of static IP binding table items, namely: the binding relationship between the user's IP address, MAC address, and the port connecting the user. So that the user's packets can be processed normally.

ARP trusted port settings

In the actual network, the uplink port of the switch receives ARP packets from other devices, the source IP address and source MAC address of these ARP packets are not in the DHCP Snooping table or static binding table. To solve the ARP request and response packets received by the upstream port through ARP intrusion detection, the switch supports configuring the ARP trusted port to flexibly control the ARP packet detection function. All ARP packets from trusted ports are not detected. ARP packets from other ports are checked by checking the DHCP Snooping table or manually configured static IP binding table.

IP address filtering

The IP address filtering function is used by the vswitch to filter illegal IP packets through the DHCP Snooping table and the manually configured static IP Address binding table.

After enabling this function on the port, the switch first issues an ACL rule to discard all IP packets except DHCP packets. (Also, check whether the DHCP Snooping trusted port function is enabled. If the DHCP response packet is not started, the DHCP response packet is discarded. Otherwise, the DHCP response packet is allowed to pass .) Next, issue an ACL rule to allow packets with the source IP address being the DHCP Snooping table item or the configured IP static binding table item to pass through.

The vswitch can filter IP packets in two ways:

Filter packets based on the source IP address. If the source IP address of the packet and the port number of the switch that receives the packet are consistent with the DHCP Snooping dynamic table or the manually configured static IP binding table, the packet is regarded as a valid message, allow it to pass; otherwise, the message is considered illegal and discarded directly.

Filter messages based on the source IP address and source MAC address. If the source IP address, source MAC address, and switch port number of the received packet are consistent with the DHCP Snooping dynamic table or the IP static binding table manually configured, the message is regarded as a valid message and allowed to pass. Otherwise, the message is regarded as invalid and discarded directly.

DHCP/ARP packet Speed Limit Function

To prevent flood attacks of DHCP packets, the access switch supports configuring the speed limit function for DHCP/ARP packets on the port. After this function is enabled, the switch collects statistics on the number of DHCP/ARP packets received by the port per second. If the number of packets received per second exceeds the set value, the port is considered to be in the speeding status (that is, being attacked ). In this case, the switch closes the port so that it no longer receives any packets, so as to prevent the device from being attacked by a large number of packets.

At the same time, the device supports configuring the port status automatic recovery function. For a port configured with the packet speed limit function, after the switch is disabled due to its excessive speed, it can be automatically restored to the enabled status after a period of time.

User isolation

In operator networks, user isolation technology can effectively prevent mutual influences between users. It can also prevent ARP "man-in-the-middle" attacks and pseudo DHCP server attacks.

Using these technologies can effectively reduce common security risks in the access network and ensure the normal operation of operators' services.