R2511-HP MSR Router Series Security Configuration Guide(V5)
406
Configuring ARP attack protection
ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and
prevent such attacks.
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
• Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
entries.
• Sends a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
packets) to keep the receiving device busy with resolving destination IP addresses until the CPU is
overloaded.
• Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attack protection configuration task list
Task Remarks
Flood
prevention
Configuring
unresolvable
IP attack
protection
Configuring ARP
source
suppression
Optional.
Configure this function on gateways (recommended).
Configuring source MAC-based
ARP attack detection
Optional.
Configure this function on gateways (recommended).
User and
gateway
spoofing
prevention
Configuring ARP packet source
MAC consistency check
Optional.
Configure this function on gateways (recommended).
Configuring ARP active
acknowledgement
Optional.
Configure this function on gateways (recommended).
Configuring ARP automatic
scanning and fixed ARP
Optional.
Configure this function on gateways (recommended).
Configuring unresolvable IP attack protection
If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called
unresolvable IP packets), the following situations can occur:
• The device sends a large number of ARP requests, overloading the target subnets.