If the source IP or MAC address of the attack source can be determined in the log (display logbuffer), eliminate the attack source.
Aug 1 2014 18:09:48+08:00 HUAWEI %%01SECE/4/ARPMISS(l)[0]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet0/0/1, SourceIP=10.0.0.250, AttackPackets=19 packets per second)
Check the type of ARP packets of which the drop count keeps increasing.
<HUAWEI> system-view [HUAWEI] interface GigabitEthernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-fake expire-time 30
When your switch undergoes an attack, increase the aging time of temporary ARP entries to reduce the frequency of ARP Miss messages. This can reduce the impact on the switch.
When a switch receives an ARP reply packet before a temporary ARP entry is aged out, the switch discards the IP packets matching the temporary ARP entry, but does not generate an ARP Miss message. Then the switch replaces the temporary ARP entry with the correct ARP entry.
Run the display arp all command on the switch to check ARP entries. If the MAC address field is displayed as Incomplete, check the IP address and interface matching the ARP entry, and then analyze the packets obtained from this interface. Find out the source IP address that accesses the IP address in Incomplete entry.
After determining the attack source, configure a blackhole MAC entry or blacklist to discard the packets from the attack source, or limit the rate of ARP packets from the attack source.
<HUAWEI> system-view [HUAWEI] mac-address blackhole 0000-0000-0023
<HUAWEI> display arp anti-attack configuration arpmiss-speed-limit ARP miss speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- All 500 //The switch can process a maximum of 500 ARP Miss messages per second triggered by one source IP address. ------------------------------------------------------------------------------- 0 specified IP addresses are configured, spec is 256 items.
<HUAWEI> system-view [HUAWEI] arp-miss speed-limit source-ip 10.0.0.1 maximum 100 //The switch can process a maximum of 100 ARP Miss messages per second triggered by IP address 10.0.0.1.
Use either of the following methods:
Method 1: Configure attack source tracing to find out the attack source.
<HUAWEI> system-view [HUAWEI]cpu-defend policy test //Create a policy named test. [HUAWEI-cpu-defend-policy-test] auto-defend enable //Enable attack source tracing. [HUAWEI-cpu-defend-policy-test] auto-defend attack-packet sample 5 //Set the sampling rate of attack source tracing to 5. [HUAWEI-cpu-defend-policy-test] auto-defend threshold 30 //The switch considers that an attack occurs when the rate of ARP packets sent by one IP address reaches 30 pps. [HUAWEI-cpu-defend-policy-test] auto-defend trace-type source-ip //Configure attack source identification based on source IP address. [HUAWEI-cpu-defend-policy-test] auto-defend protocol arp //Configure attack source identification based on ARP packet type. [HUAWEI-cpu-defend-policy-test] quit [HUAWEI] cpu-defend-policy test global //Apply the attack defense policy. Run the following command for modular switches: [HUAWEI] cpu-defend-policy test (modular switch)
<HUAWEI> display auto-defend attack-source detail Attack Source User Table (MPU): ---------------------------------------------------- MAC Address 0000-0000-0023 //Exclude the gateway MAC address from the attack source MAC address list. Interface GigabitEthernet0/0/1 VLAN: Outer/Inner 199 ARP: 256 Total 256 ---------------------------------------------------- ¡¡ Attack Source IP Table (MPU): ---------------------------------------------------- IP address 10.10.10.2 //Exclude the gateway IP address from the attack source IP address list. ARP: 256 Total 256 ---------------------------------------------------- Total: 1
Method 2: Configure port mirroring to obtain packet information.
Analyze the source address in the headers of ARP request or reply packets.
If the same MAC or IP address exists in many ARP request or reply packets, the switch considers this address the attack source.
After determining the attack source, configure a blackhole MAC entry or blacklist to discard the packets from the attack source, or limit the rate of ARP packets from the attack source.
<HUAWEI> system-view [HUAWEI] mac-address blackhole 0000-0000-0023
Method 2: Limit the rate of ARP packets sent from the attack source.
Reduce the rate of ARP packets from the source IP or MAC address gradually.
<HUAWEI> display arp anti-attack configuration arp-speed-limit ARP speed-limit for source-IP configuration: IP-address suppress-rate(pps)(rate=0 means function disabled) ------------------------------------------------------------------------------- All 0 //Set the ARP rate limit for each source IP address to 0. That is, the switch does not limit the ARP rate based on source IP address. ------------------------------------------------------------------------------- 0 specified IP addresses are configured, spec is 256 items.
<HUAWEI> system-view [HUAWEI] arp speed-limit source-ip 10.10.10.2 maximum 50 //Set the ARP rate limit for IP address 10.10.10.2 to 50 pps.