Configuring ARP defense against IP packet attacks

If the device receives a large number of IP packets from a host addressed to unreachable destinations:

• The device sends a large number of ARP requests to the destination subnets, and thus the load of the destination subnets increases.

• The device keeps trying to resolve destination IP addresses, which increases the load on the CPU.

To protect the device from IP packet attacks, you can enable the ARP source suppression function or ARP black hole routing function.

If the packets have the same source address, you can enable the ARP source suppression function. With the function enabled, you can set a threshold for the number of ARP requests that a sending host can trigger in 5 seconds with packets with unresolvable destination IP addresses. When the number of ARP requests exceeds that threshold, the device suppresses the host from triggering any ARP requests in the following 5 seconds.

If the packets have various source addresses, you can enable the ARP black hole routing function. After receiving an IP packet whose destination IP address cannot be resolved by ARP, the device with this function enabled immediately creates a black hole route and simply drops all packets matching the route during the aging time of the black hole route.