Netis ST3326(ST-3302) [80/118] Introduction to arp attack detection

ARP entries in the switch can either be static entries or dynamic entries, as described in.

Introduction to ARP Source MAC Address Consistency Check

An attacker may use the IP or MAC address of another host as the sender IP or MAC address of

ARP packets. These ARP packets can cause other network devices to update the corresponding

ARP entries incorrectly, thus interrupting network traffic.

To prevent such attacks, you can configure ARP source MAC address consistency check on the

switches (operating as gateways). With this function, the device can verify whether an ARP

packet is valid by checking the sender MAC address of the ARP packet against the source MAC

address in the Ethernet header.

Introduction to ARP Attack Detection

Man-in-the-middle attack

According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC

mapping of the sender into its ARP mapping table even if the MAC address is not the real one.

This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible.

ARP attack detection

To guard against the man-in-the-middle attacks launched by hackers or attackers, the switches

support the ARP attack detection function. All ARP (both request and response) packets passing

through the switch are redirected to the CPU, which checks the validity of all the ARP packets

by using the DHCP snooping table or the manually configured IP binding table. For description

of DHCP snooping table and the manually configured IP binding table, refer to the DHCP

snooping section in the part discussing DHCP in this manual.

After you enable the ARP attack detection function, the switch will check the following items of

an ARP packet: the source MAC address, source IP address, port number of the port receiving the

ARP packet, and the ID of the VLAN the port resides. If these items match the entries of the

DHCP snooping table or the manual configured IP binding table, the switch will forward the ARP

packet; if not, the switch discards the ARP packet.

Introduction to ARP Packet Rate Limit

To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection

function delivers ARP packets to the CPU to check the validity of the packets. However, this

causes a new problem: If an attacker sends a large number of ARP packets to a port of a switch,

the CPU will get overloaded, causing other functions to fail, and even the whole device to break

down. To guard against such attacks, the switches support the ARP packets rate limit function,

which will shut down the attacked port, thus preventing serious impact on the CPU.

With this function enabled on a port, the switch will count the ARP packets received on the port

within each second. If the number of ARP packets received on the port per second exceeds the

preconfigured value, the switch considers that the port is attacked by ARP packets. In this case,