R3303-HP HSR6800 Routers Security Configuration Guide
32
Configuring ARP attack protection
ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and
prevent such attacks.
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
• Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
• Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving destination IP addresses until the CPU is
overloaded.
• Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attack protection configuration task list
Task Remarks
Flood
prevention
Configuring
unresolvable
IP attack
protection
Configuring ARP
source
suppression
Optional.
Configure this function on gateways (recommended).
Enabling ARP
blackhole routing
Optional.
Configure this function on gateways (recommended).
Configuring ARP packet rate limit
Optional.
Configure this function on access devices
(recommended).
User and
gateway
spoofing
prevention
Configuring ARP active
ac
knowledgement
Optional.
Configure this function on gateways (recommended).
Configuring authorized ARP
Optional.
Configure this function on gateways (recommended).
Configuring ARP detection
Optional.
Configure this function on access devices
(recommended).
Configuring ARP automatic
scanning and fixed ARP
Optional.
Configure this function on gateways (recommended).