R0106-HP MSR Router Series Security Configuration Guide(V7)
403
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such unresolvable IP attacks, you can configure the following features:
• ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP
packets from the host is reached within an interval of 5 seconds. The device continues ARP
resolution when the interval elapses. This feature is applicable if the attack packets have the same
source addresses.
• ARP blackhole routing—Creates a blackhole route destined for an unresolvable IP address. The
device drops all matching packets until the blackhole route ages out. This feature is applicable
regardless of whether the attack packets have the same source addresses.
Configuring ARP source suppression
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression
enable
By default, ARP source suppression is
disabled.
3. Set the maximum number of
unresolvable packets that the
device can receive from a host
within 5 seconds.
arp source-suppression
limit limit-value
By default, the maximum number is 10.
Enabling ARP blackhole routing
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP blackhole routing.
arp resolving-route enable
By default, ARP blackhole routing
is enabled.
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
Task Command
Display ARP source suppression configuration information.
display arp source-suppression
Configuration example
Network requirements
As shown in Figure 120, a LAN contains two areas: an R&D area in VLAN 10 and an office area in
VLAN 20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered as the consequence
of an unresolvable IP attack. To prevent the attack, configure ARP source suppression and ARP blackhole
routing.