Other arp attack defense functions, Overview, Source mac address based arp attack detection – H3C Technologies H3C WX6000 Series Access Controllers User Manual

23-4

Table 23-1 ARP Detection configuration items

Item

Description

VLAN Settings

Select VLANs on which ARP detection is to be enabled.

To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.

To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.

Trusted Ports

Select trusted ports and untrusted ports.

To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.

To remove ports from the Trusted Ports list box, select one or multiple ports from the list
box and click the >> button.

ARP Packet
Validity Check

Select ARP packet validity check modes, including:

Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header

Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
the destination MAC address in the Ethernet header

Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast
address, and discard the ARP reply whose source and destination IP addresses are all
0s, all 1s, or multicast addresses

If none of the above is selected, the system does not check the validity of ARP packets.

Other ARP Attack Defense Functions

Overview

Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets. If the number of ARP

packets received from a MAC address within five seconds exceeds the specified value, the device

considers this an attack, thus generates an alarm, and blocks traffic from that source MAC address.

Only the ARP packets delivered to the CPU are detected.

ARP active acknowledgement

Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid

ARP packets. With this feature enabled, the gateway, upon receiving an ARP packet with a sender MAC

address different from that in the corresponding ARP entry, checks whether the ARP entry has been

updated within the last minute:

If yes, the gateway does not update the ARP entry;

If not, the gateway unicasts an ARP request to the MAC address in the ARP entry.

Then,

If an ARP reply is received within five seconds, the ARP packet is ignored;

If not, the gateway unicasts an ARP request to the sender MAC address of the ARP packet.

Then,

If an ARP reply is received within five seconds, the gateway updates the ARP entry;

If not, the ARP entry is not updated.