HP VPN Firewall Appliances Attack Protection Configuration Guide
49
Task Remarks
Configuring ARP detection
Optional.
Configure this function on gateways (recommended).
Configuring ARP automatic scanning and fixed
ARP
Optional.
Configure this function on gateways (recommended).
Configuring unresolvable IP attack protection
Unresolvable IP attack protection can be configured only at the CLI.
If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called
unresolvable IP packets), the following situations can occur:
• The device sends a large number of ARP requests, overloading the target subnets.
• The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such IP packet attacks, you can configure the following features:
• ARP source suppression—If the attack packets have the same source address, you can enable the
ARP source suppression function, and set the maximum number of unresolvable IP packets that a
host can send within 5 seconds. If the threshold is reached, the device stops resolving packets from
the host until the 5 seconds elapse.
• ARP blackhole routing—You can enable the ARP blackhole routing function regardless of whether
the attack packets have the same source address. After receiving an unresolvable IP packet, the
device creates a blackhole route destined for that IP address and drops all the matching packets
until the blackhole route ages out.
Configuring ARP source suppression
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP source suppression.
arp source-suppression enable Disabled by default.
3. Set the maximum number of unresolvable
packets that the device can receive from a
device in 5 seconds.
arp source-suppression limit
limit-value
Optional.
10 by default.
Enabling ARP blackhole routing
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP blackhole
routing.
arp resolving-route enable
Optional.
Disabled by default.