This section describes ARP flood attack and defense mechanisms.
The designers of the TCP/IP protocol suite developed the ARP protocol based on the broadcast feature of the Ethernet network. In the case that a host knows only the IP address of a destination on the same physical network, the host can find out the MAC address of the destination using ARP. ARP entries can be dynamically updated when hosts are added to or removed from the network or network adapters are changed.
In ARP flood attacks, an attacker sends a large number of forged ARP packets with false source IP addresses and MAC addresses.
Generally, the FW uses rate limit to defend against ARP flood attacks. The FW collects statistics by destination IP address. If the rate of the ARP traffic destined for the same destination IP address reaches the alarm threshold, the FW implements traffic limit and discards excess ARP packets.