Today we will learn basic protection against ARP attacks.
In order to avoid the various harms caused by the above-mentioned ARP attacks, ARP security features provide for different types of attacks
A variety of solutions.
For ARP flooding attacks, the following methods can be used for basic protection:
1. By limiting the rate of ARP messages, it is recommended to deploy on the gateway device to prevent the overload of the CPU caused by a large number of ARP messages and other services cannot be processed.
2. By deploying ARP Miss message rate limiting on the gateway device, it prevents the failure to parse IP messages due to receiving a large number of destination IPs, triggering a large number of ARPMiss messages, and causing excessive CPU load.
3. By deploying gratuitous ARP messages to be actively discarded on the gateway device, it prevents the device from processing a large number of gratuitous ARP messages, which may cause excessive CPU load.
4. Deploy strict learning control of ARP entries on the gateway device. Only the response message of the ARP request message actively sent by the local device can trigger the device to perform ARP learning. This can effectively prevent the device from receiving a large number of ARP attack packets, causing the ARP table to be filled with invalid ARP entries.
5. Deploy the ARP entry limit on the gateway device, and set the device interface to learn only the maximum number of dynamic ARP entries. It can prevent the ARP table resources of the entire device from being exhausted when a user host connected to a certain interface initiates an ARP attack.
6. Deploy the function of prohibiting interface learning ARP entries on the gateway device. By prohibiting an interface from learning ARP entries, prevent ARP attacks initiated by users connected to the interface from causing the ARP table resources of the entire device to be exhausted .
For ARP table spoofing attacks, the following methods can be adopted:
1. By deploying the ARP table entry curing function on the gateway device, after the device learns ARP for the first time, it will take the following methods to restrict table entry updates: users are no longer allowed to update this ARP entry, only this ARP can be updated Part of the table entry information can be confirmed by sending ARP request packets to prevent attackers from forging ARP packets to modify the contents of normal users' ARP table entries. The ARP entry curing mode is generally divided into three modes: fixed-all mode, fixed-mac mode and send-ack.
2. Deploy dynamic ARP inspection on the access device. After the device receives an ARP packet, it will compare the source IP, source MAC, interface and VLAN information of the received ARP packet with the bound information. If the information matches, it is considered a legitimate user and the ARP packet of this user is allowed to pass, otherwise it is considered an attack packet and the ARP packet is discarded. This method is only applicable when DHCP Snooping has been deployed.
3. Deploy the gratuitous ARP packet active discard function on the gateway device. By actively discarding gratuitous ARP packets, it prevents the device from receiving a large number of forged gratuitous ARP packets, causing ARP entries to update incorrectly, and legitimate users' communication traffic from being corrupted. Interrupted.
4. Deploy ARP message MAC address consistency check on the gateway device. Through the ARP message MAC address consistency check function, you can prevent the source and destination MAC addresses in the Ethernet data frame and the source and destination MAC addresses in the ARP message data area. ARP spoofing attacks with inconsistent destination MAC addresses.
5. Deploy the strict learning function of this ARP table entry on the gateway device. After this function is enabled, only the response message of the ARP request message sent by the device can trigger the learning of the local device, while the ARP message sent by other devices Cannot trigger this device to learn ARP. It is used to prevent the device from receiving forged ARP packets, causing ARP entries to update incorrectly and interrupting the communication traffic of legitimate users.