1 arp and ip attack defense configuration, Arp packet filtering based on gateway’s address, Introduction – H3C Technologies H3C S3100 Series Switches User Manual

1

1

ARP and IP Attack Defense Configuration

ARP Packet Filtering Based on Gateway’s Address

Introduction

According to the ARP design, after receiving an ARP packet with the target IP address being that of the

receiving interface, a device adds the IP-to-MAC mapping of the sender into its ARP mapping table

even if the MAC address is not requested by itself. This can reduce the ARP traffic in the network, but it

also makes ARP spoofing possible.

The most common ARP attack on campus networks is the gateway spoofing attack. An attacker sends

an ARP packet with the gateway’s IP address and a fake MAC address, and then a receiving host

updates the IP-to-MAC binding of the gateway. As a result, the traffic sent from the host to the gateway

will be redirected to the fake MAC address, and the client will be unable to access the external network.

Figure 1-1 Gateway spoofing attack

To prevent gateway spoofing attacks, S3100-EI series Ethernet switches can filter ARP packets based

on the gateway’s address.

1) You can bind the gateway’s IP address to the downstream port (directly connected to hosts) of the

switch. After that, the port will discard ARP packets with the gateway’s IP address as the sender IP

address, and permit other ARP packets to pass.

2) You can also bind the IP and MAC addresses of the gateway to the cascaded port or upstream port

of the access switch. After that, the port will discard ARP packets with the sender IP address as the

gateway’s IP address but with the sender MAC address different from the gateway’s MAC address,

and permit other ARP packets to pass.

Configuring ARP Packet Filtering