HP MSR2000/3000/4000 Router Series Security Configuration Guide
273
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can
occur.
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such unresolvable IP attacks, you can configure the following features:
• ARP source suppression—If the attack packets have the same source address, you can enable the
ARP source suppression function, and set the maximum number of unresolvable IP packets that the
device can receive from a host within 5 seconds. If the threshold is reached, the device stops
resolving packets from the host until the 5 seconds elapse.
• ARP blackhole routing—You can enable the ARP blackhole routing function regardless of whether
the attack packets have the same source address. After receiving an unresolvable IP packet, the
device creates a blackhole route destined for that IP address and drops all the matching packets
until the blackhole route ages out.
Configuring ARP source suppression
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression
enable
By default, ARP source suppression is
disabled.
3. Set the maximum number of
unresolvable packets that the
device can receive from a host
within 5 seconds.
arp source-suppression
limit limit-value
By default, the maximum number is 10.
Enabling ARP blackhole routing
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP blackhole routing.
arp resolving-route enable
By default, ARP blackhole routing
is enabled.
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
Task Command
Display ARP source suppression configuration information.
display arp source-suppression