Prevent ARP attacks of the same network segment

ARP attacks are a common network problem. Therefore, you must configure an appropriate switch device. The following uses H3C devices as an example to describe typical configuration methods.

1. arp attacks to prevent counterfeit gateway IP addresses

1. Two-layer switch anti-attack configuration example

3552P is a layer-3 device, where ip: 100.1.1.1 is the gateway of all PCs, and the mac address of the gateway on 3552P is 000f-e200-3999. Now the PC-B is equipped with arp attack software. Some special configurations need to be made for 3026_A to filter out arp packets of the counterfeit gateway IP address.

For L2 switches such as 3026c, you can configure the acl.

(1) Globally configure all source IP addresses of deny as arp packets of the Gateway (Custom Rules)

ACL num 5000

Rule 0 deny 0806 ffff 24 64010101 ffffffff 40

Rule 1 permit 0806 ffff 24 000fe2003999 ffffffffffff 34

Rule0 objective: to disable the ARP packet of the entire 3026C_A port impersonating the gateway. The blue part 64010101 is the hexadecimal representation of the gateway IP Address: 100.1.1.1 = 64010101.

Purpose: To pass the ARP packets of the upstream gateway, and the blue part is the mac address 000f-e200-3999 of the gateway 3552.

Issue an acl rule in the S3026C-A System View:

[S3026C-A] packet-filter user-group 5000

In this way, only devices connected to 3026C_A can send ARP packets of the gateway, and other PCs cannot send arp response packets of the counterfeit gateway.

2. Example of layer-3 Switch anti-attack configuration

For layer-3 devices, you need to configure the acl rules for filtering the source IP address as the gateway's arp packets. Configure the following acl rules:

ACL num 5000

Rule 0 deny 0806 ffff 24 64010105 ffffffff 40

Rule0 objective: to disable all ARP packets impersonating the gateway on the 3526E port. The blue part 64010105 is the hexadecimal representation of the gateway IP Address: 100.1.1.5 = 64010105.

Ii. Counterfeit arp attacks from others' IP addresses

As a gateway device, there may be arp errors. On the gateway device, you also need to filter arp attack packets from counterfeit IP addresses.

When the PC-B sends arp reply attack packets to the PC-D, the source mac is the PC-B mac (000d-88f8-09fa), the source ip is the PC-D ip (100.1.1.3 ), the destination ip address and mac address are gateways (3552 P). In this way, arp errors will be learned on 3552, as shown below:

------------------- Incorrect arp table item --------------------------------

IP Address MAC Address vlan id Port Name Aging Type

100.1.1.4 000d-88f8-09fa 1 Ethernet0/2 20 Dynamic

100.1.1.3 000f-3d81-45b4 1 Ethernet0/2 20 Dynamic

The arp table entry for the PC-D should be learned on port e0/8 instead of port e0/2.

① Configuring static arp on 3552 can prevent this phenomenon:

Arp static 100.1.1.3 000f-3d81-45b4 1 e0/8

② Likewise, in Figure 2, static arp can be configured to prevent devices from learning the wrong arp table items.

③ For L2 devices (3050 and 3026 series), in addition to static arp configurations, you can also configure IP + mac + port binding. For example, you can perform the following operations on port 3026C 4:

Am user-bind ip-addr 100.1.1.4 mac-addr 000d-88f8-09fa int e0/4

If the ip address is 100.1.1.4 and the mac address is 000d-88f8-09fa, arp packets can pass through the e0/4 port. If the arp packets of other devices fail, no error arp entries will occur.