ALM-303046945 ARP Entry Attack
Description
SECE/4/ARP_ENTRY_CHECK:OID=[OID] Arp entry attack.(SourceInterface=[OCTET], SourceIP=[OCTET], SourceMAC=[OCTET], PVLAN=[INTEGER], CVLAN=[INTEGER])
The system detects attack packets used to modify ARP entries.
Attribute
|
Alarm ID |
Alarm Severity |
Alarm Type |
|---|---|---|
|
303046945 |
Warning |
equipmentAlarm |
Parameters
|
Name |
Meaning |
|---|---|
|
OID |
Indicates the MIB object ID of the alarm. |
|
SourceInterface |
Indicates the source interface of packets. |
|
SourceIP |
Indicates the source IP address of packets. |
|
SourceMAC |
Indicates the source MAC address of packets. |
|
PVLAN |
Indicates the outer VLAN ID of packets. |
|
CVLAN |
Indicates the inner VLAN ID of packets. |
Impact on the System
If this alarm is generated, ARP entries on the AC may be changed to ARP entries of attackers. As a result, user traffic is intercepted by attackers and user services are interrupted.
Possible Causes
The AC is attacked by packets used to modify ARP entries.
Procedure
- Find the interface where attacks occur according to SourceInterface.
- Check whether users who are not in the DHCP snooping binding table range are connected to the interface.
- If new users are connected, run related DHCP snooping commands to generate the DHCP snooping binding table. Then find the interface where the gateway conflict occurs according to the value of SourceInterface.
Related Information
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
