How to protect Huawei switches against ARP flood attack?
DoS attack is an attempt to make a network resources unavailable to its intended users. There are several different types of DoS attacks, but most of them rely on spoofing and flooding techniques. Some of these attacks can be hard to defend against, because DoS packets may look exactly like normal packets.
One common method of attack involves saturating the target device with a flood of request packets, so that this device cannot respond to a legitimate traffic or responds so slowly, as to be unavailable.
Attackers often use ARP protocol to attack network devices, because it is easy to use and has no security mechanisms built in. Flooding a network device with ARP request packets can lead to insufficient CPU resources to process other services, when processing a large number of ARP packets. To protect the device, ARP rate limiting mechanism can be used. On Huawei switches this feature can be implemented in the following ways:
- Limiting the rate of ARP packets globally, in a VLAN or on an interface
- Limiting the rate of ARP packets based on the source MAC address
- Limiting the rate of ARP packets based on the source IP address
limiting the rate of ARP packets globally, in a VLAN or on an interface
To enable ARP packets rate limiter globally (all ARP request packets processed by the system will be limited), the following command has to be configured:
<labnarioSW>arp anti-attack rate-limit enable
By default this feature is disabled. Let’s see if it is enabled now:
[labnarioSW]dis arp anti-attack config arp-rate-limit
ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
arp anti-attack rate-limit enable
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
When enabled, packets will be rate limited to 100 per second, by default. To change this value, use the command:
[labnarioSW]arp anti-attack rate-limit 90 ?
INTEGER Set interval value (second)
[labnarioSW]arp anti-attack rate-limit 90 1
As you see, a time interval of rate limit can also be changed in the range of 1-86400 seconds.
To enable the alarm function for discarded ARP packets, use the command:
[labnarioSW]arp anti-attack rate-limit alarm enable
To enable ARP packets rate limiter in a VLAN or on an interface, use the same commands as above, in a VLAN or an interface view respectively:
[labnarioSW]vlan 10
[labnarioSW-vlan10]arp anti-attack rate-limit enable
[labnarioSW-vlan10]arp anti-attack rate-limit 20 1
[labnarioSW]int g0/0/1
[labnarioSW-GigabitEthernet0/0/1]arp anti-attack rate-limit enable
[labnarioSW-GigabitEthernet0/0/1]arp anti-attack rate-limit 10 1 block timer 60
In the interface view, it is possible to block all the traffic, coming from the specific source, when defined rate limit is exceeded. Block timer can be set in the range of 5-864000 seconds. Alarm function of discarded ARP packets can be enabled in VLAN and interface views as well.
Let’s see our final configuration:
[labnarioSW-vlan10]dis arp anti-attack config arp-rate-limit
ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
arp anti-attack rate-limit enable
arp anti-attack rate-limit 90 1
arp anti-attack rate-limit alarm enable
Interface configuration:
GigabitEthernet0/0/1 :
arp anti-attack rate-limit enable
arp arp anti-attack rate-limit 10 1 block timer 60
Vlan configuration:
Vlan10 :
arp anti-attack rate-limit enable
arp anti-attack rate-limit 20 1
-------------------------------------------------------------------------------
limiting the rate of ARP packets based on the source MAC address
<labnario>system-view
[labnarioSW]arp speed-limit source-mac ?
H-H-H The source Mac address
maximum Input the speed-limit value
There are two options, let’s choose the first one. This option limits the number of ARP packets with specific source MAC address. The range of this values can be set as packets per second.
Let’s configure limiter to allow no more than 50 ARP packet per second, sourced from MAC address aaaa-bbbb-cccc:
[labnarioSW]arp speed-limit source-mac aaaa-bbbb-cccc maximum 50
If no MAC address is specified (second option), then limiter is applied to all ARP packets:
[labnarioSW]arp speed-limit source-mac maximum ?
INTEGER The range of speed-limit value(in packets/second)
[labnarioSW]arp speed-limit source-mac maximum 100
[labnarioSW]
By default, the rate limit of ARP packets is set to 0, which means that ARP packets are not limited.
To display ARP rate limit configuration, use the command as below:
[labnarioSW]display arp anti-attack configuration arp-speed-limit
ARP speed-limit for source-MAC configuration:
MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
aaaa-bbbb-cccc 50
Others 100
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec is 512.
As you see, the rate limiter is now configured to limit all ARP packets, sourced from any MAC address, to no more than 100 packets per second, and to limit ARP packets, sourced from MAC of aaaa-bbbb-cccc, to no more than 50 packets per second.
limiting the rate of ARP packets based on the source IP address
To configure ARP packet rate limiter to limit packets, based on the source IP address, use the command as below:
[labnarioSW]arp speed-limit source-ip 10.11.12.100 maximum 5
To limit all ARP packets, use the following command:
[labnarioSW]arp speed-limit source-ip maximum 50
Let’s check our configuration:
[labnarioSW]dis arp anti-attack config arp-speed-limit
ARP speed-limit for source-MAC configuration:
MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
aaaa-bbbb-cccc 50
Others 100
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec is 512.
ARP speed-limit for source-IP configuration:
IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.11.12.100 5
Others 50
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 2, spec is 512.
When both commands are configured, ARP packets sourced from host 10.11.12.100 will be rate limited by our switch to no more than 5 packets per second, all the other packets sourced from any IP address will be limited to no more than 50 packets per second at the same time.
By default, the rate limit of ARP packets with the same source IP address is set to 0, which means that ARP packets are not limited by the switch.
Rate limiting of ARP packets is not a perfect solution against ARP flood attack. When configured, both malicious and legitimate ARP packets will be affected by this feature. Nonetheless we have to remember, that this feature can help our switch to survive attack, while still forwarding traffic in a network.
Read More »