Configuring Source Mac Address Based Arp Attack Detection; Introduction; Configuration Procedure - HP 3600 v2 Series Security Configuration Manual

Configuring source MAC address based ARP
attack detection

Introduction

With this feature enabled, the device checks the source MAC address of ARP packets delivered to the
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the
specified threshold. The device adds the MAC address to the attack detection table.
Before the attack detection entry is aged out, the device uses either of the following detection modes to
respond to the detected attack:
Monitor mode: Generates a log message.
•
Filter mode: Generates a log message and filters out subsequent ARP packets from the attacking
•
MAC address.
You can also configure protected MAC addresses to exclude a gateway or server from detection. A
protected MAC address is excluded from ARP attack detection even if it is an attacker.

Configuration procedure

Follow these steps to configure source MAC address based ARP attack detection:
To do...
Enter system view
Enable source MAC address
based ARP attack detection and
specify the detection mode
Configure the threshold
Configure the age timer for ARP
attack detection entries
Configure protected MAC
addresses
NOTE:
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
Use the command...
system-view
arp anti-attack source-mac { filter |
monitor }
arp anti-attack source-mac
threshold threshold-value
arp anti-attack source-mac
aging-time time
arp anti-attack source-mac
exclude-mac mac-address&<1-10>
335
Remarks
—
Required
Disabled by default.
Optional
50 by default.
Optional
300 seconds by default.
Optional
Not configured by default.