Configuring arp attack protection, Introduction, Gratuitous arp packet learning – H3C Technologies H3C SecPath F1000-E User Manual
Page 52: Periodic sending of gratuitous arp packet
44
Configuring ARP attack protection
The Address Resolution Protocol (ARP) is easy to use, but it is often exploited by attackers because of its
lack of security mechanism.
•
ARP packets by acting as a trusted user or gateway so that the receiving devices obtain incorrect
ARP entries.
•
A large number of IP packets with unreachable destinations. As a result, the receiving device
continuously resolves destination IP addresses and thus its CPU is overloaded.
•
A large number of ARP packets to overload the CPU of the receiving device.
Currently, ARP attacks and ARP viruses bring big threats to LANs. To avoid such attacks and viruses, the
firewall provides multiple techniques to detect and prevent them.
The following describes the principles and configuration of these techniques.
Configuring periodic sending of gratuitous ARP
packet
Introduction
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device.
A device sends a gratuitous ARP packet for either of the following purposes:
•
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply;
•
Inform other devices of the change of its MAC address.
Gratuitous ARP packet learning
With this feature enabled, the firewall, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the firewall uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Periodic sending of gratuitous ARP packet
By sending gratuitous ARP packets periodically, the firewall can notify its downlink devices of the updates
of its ARP entries or MAC address entries, so as to:
1.
Prevent ARP spoofing.
A spoofed gratuitous ARP packet can cause hosts on a network segment to update their ARP entries
incorrectly, and thereby redirect traffic that the hosts want to send to the gateway to incorrect MAC
address instead. As a result, the hosts cannot access external networks.
To prevent such ARP attacks, you can configure the gateway's interfaces to send gratuitous ARP
packets for the primary IP address and manually configured secondary IP addresses of the