ARP is one of the lower-layer protocols in the Transmission Control Protocol/Internet Protocol (TCP/IP) stack. ARP is designed to translate an IP address into an Ethernet physical address, namely, a Media Access Control (MAC) address.
The communications between Ethernet devices use MAC addresses for addressing, while various TCP/IP applications use IP addresses for addressing. Various data packets finally need to be encapsulated into Ethernet frames for transmission. Therefore, before performing IP communications, the MAC address of the other side needs to be obtained through resolving the IP address of the other side. The protocol responsible for the resolution process is ARP.
To speed up the address translation, a network device uses the ARP cache technology when implementing the ARP, and uses a table structure to cache a certain quantity of address mapping relations locally. The table is generally known as an ARP table.
In the existing network, however, ARP-based network attacks generally exist. From the perspective of the attack principles, ARP attacks fall into the following two types:
1. Address spoofing: The attacker sends an ARP request or an ARP response which has an erroneous address mapping relation to alter the ARP table of the host or the gateway. Consequently, the gateway or host sends the packet to an erroneous physical address, and the attack works.
2. ARP Denial of Service (DoS) attack: The ARP DoS attacked is generally targeted at gateway devices (such as a router or a switch). ARP packets are generally processed on the control plane of the device. The control plane generally uses a universal CPU as a processing engine. The universal CPU is characterized by sophisticated processing but limited performance. With too many processing tasks, the CPU on the control plane tends to be overloaded or crash. In view of the foregoing weakness, the ARP DoS attacker sends ARP packets of high traffic to the gateway device to make the control plane of the device extremely busy and unable to process normal ARP packets, and the attack works.
An ARP packet processing method in the prior art is as follows:
First, the IP address of each ARP packet is checked on the forwarding plane, and the illegal ARP packets are discarded.
The IP address check includes:
1. Checking the destination IP address: check whether the destination IP address is the IP address in the network segment of the gateway; if not, discard the packet; and
2. Checking the source IP address: check whether the source IP address is a “legal” IP address. “Legal” means that the IP address has already been in the entries of the ARP table. For such packets, the sending priority is high; for other ARP packets, the sending priority is low.
However, the foregoing technology is unable to prevent the attacks with legal IP addresses.
To overcome the defect of the foregoing solution, another ARP packet processing method in the prior art is:
responding to the ARP request on the forwarding plane directly by using the high-speed processing capability of the network processor on the forwarding plane.
ARP packets are categorized into ARP request and ARP response. The foregoing solution deals with only ARP request, and is unable to solve the problem that high-traffic attacks using ARP response.