We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMillicent Potter
Modified about 1 year ago
Network Security Part II: AttacksLayer 2 / 3 Attacks
Overview Layer 2 attack landscape MAC Attacks VLAN hopping attacksARP Attacks Spanning Tree attacks Layer 2 port authentication Other attacks SECURITY INNOVATION ©2003
The redundant rats nest!SECURITY INNOVATION ©2003
Preliminaries All attacks and associated mitigation techniques assume a switched Ethernet network running IP If shared Ethernet is used (WLAN, Hub, etc.) the majority of these attack scenarios get much easier Obviously, if you aren't using Ethernet as your L2 protocol some of these attacks may not be appropriate. However you may be vulnerable to different ones. Rapid deployment. Attacks that are theoretical can move to the practical in a matter of days and become widely distributed in weeks. Focus will be on L2 attacks and potential solutions. SECURITY INNOVATION ©2003
MAC Attacks SECURITY INNOVATION ©2003
What is the CAM Table? Basically a really efficient lookup tablePresent on all modern switches CAM == Content Addressable Memory For more information on the CAM table and how it is updated check out or SECURITY INNOVATION ©2003
What is the CAM Table? This internal table looks something like this:Port Ethernet Addresses Host or Uplink 1 01:00:af:34:53:62 Single host 2 01:e4:5f:2a:63:35 00:c1:24:ee:62:66 ... Switch or Hub 3 11:af:5a:69:08:63 00:17:72:e1:72:70 ... 4 00:14:62:74:23:5a SECURITY INNOVATION ©2003
B Unknown… Flood the FrameNormal CAM Behavior I MAC A C Port 1 3 A B Port 2 A B MAC B Port 1 I see traffic to B! MAC A Port 3 A B B Unknown… Flood the Frame MAC C SECURITY INNOVATION ©2003
Normal CAM Behavior II Port 2 MAC B Port 1 MAC A Port 3 MAC CB A A is on Port 1 Learn: B is on Port 2 Port 3 MAC A B C Port 1 2 3 MAC B MAC A MAC C SECURITY INNOVATION ©2003
Normal CAM Behavior IIIA B MAC B MAC C MAC A Port 1 B is on Port 2 I see do Not see traffic to B! MAC A B C Port 1 2 3 Port 2 Port 3 SECURITY INNOVATION ©2003
CAM Overflow I Theoretical attack made available to all….macof tool since May 1999 “dsniff” by Dug Song Based on CAM Tables limited size SECURITY INNOVATION ©2003
CAM Overflow II Port 2 Port 1 Port 3 X is on Port 3 Y is on Port 3 MACB A X ? Y ? Y is on Port 3 SECURITY INNOVATION ©2003
B Unknown… Flood the FrameCAM Overflow III MAC X Y C Port 3 A B Port 2 A B Port 1 I see traffic to B! Port 3 B Unknown… Flood the Frame A B SECURITY INNOVATION ©2003
63 bits of source (MAC, VLAN, misc) creates a 17 bit hash valueCatalyst CAM Tables Catalyst switches use hash to place MAC in the CAM table 1 A B C 2 D E F G 3 H I . J K 16, L M N O P Q R S T Flooded! 63 bits of source (MAC, VLAN, misc) creates a 17 bit hash value If the value is the same there are 8 buckets to place CAM entries, if all 8 are filled the packet is flooded SECURITY INNOVATION ©2003
MAC Flooding Switches with MacofSECURITY INNOVATION ©2003
Snoop output on a non-SPAN port 10.1.1.50CAM Table Full! Dsniff can generate 155,000 MAC entries on a switch per minute. Assuming a perfect hash function, the CAM table will be completely filled after 131,052 (approx. 16,000 x 8) entries Once table is full, traffic without a CAM entry floods on the local VLAN, but NOT existing traffic with an existing CAM entry. This attack will also fill CAM tables of adjacent switches. Snoop output on a non-SPAN port SECURITY INNOVATION ©2003
MAC Flooding Attack MitigationPort Security Capabilities are dependent on the platform Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port Upon detection of an invalid MAC the switch can be configured to block only the offending MAC or just shut down the port. Port security prevents macof from flooding the CAM table. SECURITY INNOVATION ©2003
VLAN Hopping Attacks
VLAN “Hopping” AttacksTrunk ports have access to all VLANs by default Used to route traffic for multiple VLANs across the same physical link Encapsulation can be 802.1Q or ISL Trunk Port SECURITY INNOVATION ©2003
Dynamic Trunk ProtocolWhat is DTP? Automates ISL/802.1Q trunk configuration Operates between switches Not supported on 2900XL or 3500XL DTP synchronizes the trunking mode on link ends DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non-Negotiate”. Dynamic Trunk Protocol DST MAC 0100.0ccc.cccc SNAP Proto 0x2004 SECURITY INNOVATION ©2003
Basic VLAN Hopping AttackTrunk Port Trunk Port A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well, or a rogue DTP speaking switch) The station is then member of all VLANs Requires a trunking favorable setting on the port SECURITY INNOVATION ©2003
Double Encapsulated 802.1q VLAN Hopping AttackNote: Only works if trunk has the same native VLAN as the attacker 802.1q, 802.1q 802.1q, Frame Frame Strip off First, and Send Back out Send double encapsulated 802.1Q frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off SECURITY INNOVATION ©2003
Double Encap 802.1Q Ethereal CaptureOuter Tag, Attacker VLAN Inner Tag, Attacker VLAN SECURITY INNOVATION ©2003
Disabling Auto-TrunkingDefaults change depending on switch; always check. SECURITY INNOVATION ©2003
Security for VLANS and TrunkingAlways use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLAN Be paranoid: Do not use VLAN 1 for anything Set all user ports to non-trunking (DPT Off) SECURITY INNOVATION ©2003
ARP Refresher An ARP request message should be placed in a frame and broadcast to all computers on the network Each computer receives the request and examines the IP address The computer mentioned in the request sends a response; all other computers process and discard the request without sending a response. V Z Y X W V Z Y X W V Z Y X W SECURITY INNOVATION ©2003
Gratuitous ARP Gratuitous ARP is used by hosts to “announce” their IP address to the local network and avoid duplicate IP addresses on the network; routers and other network hardware may use cache information gained from gratuitous ARPs Gratuitous ARP is a broadcast packet (like an ARP request) Host W: Hey everyone I’m host W and my IP address is: and my MAC address is 12:34:56:78:9A:BC V Z Y X W SECURITY INNOVATION ©2003
Misuse of Gratuitous ARPARP has no security or ownership of IP or MAC address What if we did the following? Host W broadcasts I’m with MAC 12:34:56:78:9A:BC (Wait 5 seconds) Host Y .2 Host W .4 Host X .3 /24 .1 SECURITY INNOVATION ©2003
Hands On Example Host X and Y will likely ignore the message unless they currently have an ARP table entry for When host Y requests the MAC of the real router will reply and communications will work until host W sends a gratuitous ARP again Even a static ARP entry for on Y will get overwritten by the gratuitous ARP on some OSs (NT4 and Win2k) Host Y .2 Host W .4 Host X .3 /24 .1 SECURITY INNOVATION ©2003
Dsniff ARP Spoofing MAC flooding Selective sniffingSSH/SSL interception SECURITY INNOVATION ©2003
Hands On - Arpspoof SECURITY INNOVATION ©2003
Arpspoof All traffic now flows through machine running dsniff in a half-duplex manner Port security does not help Note that the attack could be generated in the opposite direction by spoofing the destination host when the router sends its ARP request Attack could be more selective and spoof just one victim SECURITY INNOVATION ©2003
Supports more than 30 standardized/proprietary protocolsSelective Sniffing Once the dsniff box has started the arpspoof process, the magic begins: Supports more than 30 standardized/proprietary protocols FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, Microsoft SQL SECURITY INNOVATION ©2003
SSL/SSH Interception Using dnsspoof all web sites can resolve to the dsniff host IP address: Once that happens you can proxy all web connections through the dsniff host SECURITY INNOVATION ©2003
SSL/SSH Interception Using dsniff (webmitm) most SSL sessions can be intercepted and bogus certificate credentials can be presented SECURITY INNOVATION ©2003
SSL/SSH Interception Upon inspection they will look invalid but they would likely fool most users invalid SECURITY INNOVATION ©2003
The Evolution of dsniff: EttercapSimilar to dsniff though not as many protocols supported for sniffing Can ARP spoof both sides of a session to achieve full-duplex sniffing Allows command insertion into persistent TCP sessions Menu driven interface SECURITY INNOVATION ©2003
It Doesn’t Get Much Easier…SECURITY INNOVATION ©2003
ARP Spoof Mitigation: Private VLANsOnly One Subnet! Promiscuous Port Promiscuous Port Primary VLAN Community VLAN Isolated VLAN PVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANS turned on Community ‘A’ Community ‘B’ Isolated Ports SECURITY INNOVATION ©2003
ARP Spoof Mitigation Some IDS systems will watch for an unusually high amount of ARP ARPWatch is a freely available tool that will track IP/MAC address pairings Consider static ARP for critical routers and hosts (potential administrative pain) SECURITY INNOVATION ©2003
Spanning Tree Attacks
A switch is elected as RootSpanning Tree Basics STP purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure A switch is elected as Root Root selection is based on the lowest configured priority of any switch A F F Root A ‘Tree-Like’ loop-free topology is established from the perspective of the root bridge F F B B X F STP is very simple. Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages include: configuration, topology change notification/acknowledgement (TCN/TCA); most have no “payload”. Avoiding loops ensures broadcast traffic does not become storms SECURITY INNOVATION ©2003
Spanning Tree Attacks and MethodsStandard 802.1d STP takes seconds to deal with a failure or root bridge change (ha ha ha… DoS served here) Generally only devices affected by the failure notice the issue PortFast and UplinkFast can greatly improve this Sending BPDUs from the attacker can force these changes and create a DoS condition on the network As a link with macof: the TCN message will result in the CAM table aging all entries in 15 seconds if they do not communicate (the default is 300 seconds) Easy to create the DoS condition. Depending on the topology it could yield additional packets for the attacker Spanning-tree PortFast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. You can use PortFast on switch ports connected to a single workstation or server to allow those devices to connect to the network immediately, rather than waiting for the port to transition from the listening and learning states to the forwarding state. UplinkFast provides fast convergence in the network access layer after a spanning-tree topology change using uplink groups. An uplink group is a set of ports (per VLAN), only one of which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is forwarding) and a set of blocked ports (not including self-looped ports). The uplink group provides an alternate path in case the currently forwarding link fails. TCN topology change notification BRCONFIG OpenBSD System Manager's Manual BRCONFIG(8) NAME brconfig - manipulate bridge interfaces DESCRIPTION The brconfig utility retrieves kernel state of bridge interfaces and al- lows user control of these bridges. Bridge devices create a logical link between two or more Ethernet interfaces or encapsulation interfaces (see gif(4)), which will selectively forward frames from each interface on the bridge to every other interface on the bridge. This can be used to iso- late traffic between sets of machines on the same segment and to provide a transparent filter for ip(4) datagrams. In the first synopsis, the -a flag will cause brconfig to list the status of all bridges in the system. In the second, its command line consists of the name of a bridge and a set of operations to be performed on that bridge. The commands are executed in the order they were specified. If no command is specified in the second synopsis, the brconfig will display status information about the bridge. With the third synopsis, rules for filtering Ethernet MAC addresses can be added to a bridge. SECURITY INNOVATION ©2003
Spanning Tree Attack Example IAccess Switches Root Send BPDU messages to become root bridge STP Attacker F X B STP SECURITY INNOVATION ©2003
Spanning Tree Attack Example IIAccess Switches Send BPDU messages to become root bridge The attacker then sees frames he shouldn’t MITM, DoS, etc. all possible Ant attack is very sensitive to the original topology, trunking, PVST, etc. Although STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half duplex 10 Mb has been verified. Requires the attacker to be dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host) Attacker F X B Root SECURITY INNOVATION ©2003
Knowledge Applied X B GE FE F Access Switch Root AttackerSTP Attacker F X B Root Access Switch FE GE Goal: See traffic on the backbone but interesting hosts have static ARP entries and are very chatty (macof will likely never steal their CAM entry) Step 1: MAC flood access switch Step 2: Run bridging software (i.e. brconfig) on attacking host; advertise as a priority zero bridge Attacker becomes root bridge Spanning tree recalculates GE backbone becomes FE Cam table on access switch is full (from macof); there is no room at the inn for the chatty servers. Traffic is flooded. SECURITY INNOVATION ©2003
STP Attack Mitigation Don’t disable STP, introducing a loop would become another attack. BPDU Guard Disables ports using portfast upon detection of a BPDU message on the port Globally enabled on all ports running portfast Root Guard Disables ports who would become the root bridge due to their BPDU advertisement Configured on a per port basis SECURITY INNOVATION ©2003
VLAN Trunking Protocol (VTP)Used to distribute VLAN configuration among switches VTP is used only over trunk ports VTP can cause more problems than it solves, consider if it is really needed If needed use the VTP MD5 digest: SECURITY INNOVATION ©2003
Potential VTP Attacks After becoming a trunk port, an attacker could send VTP messages as a server with no VLANs configured. All VLANs would be deleted across the entire VTP domain Disabling VTP: SECURITY INNOVATION ©2003
Cisco Discovery Protocol (CDP)Runs at layer 2 and allows Cisco devices to chat with one another Can be used to learn sensible information about the CDP sender (IP address, software version, router model….) CDP is in the clear and unauthenticated Considering disabling CDP, or being very selective in its use in security sensitive environments (backbone vs user port may be a good distinction) SECURITY INNOVATION ©2003
CDP Attacks Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus packets. Problem was due to a software implementation problem. A flaw in the memory allocation for the CDP process (basically there was no upper limit). SECURITY INNOVATION ©2003
DHCP Starvation AttacksAnyplace where macof works, you can DoS a network by requesting all of the available DHCP addresses With or without the DoS, an attacker could use a rogue DHCP server to provide addresses to clients Since DHCP responses include DNS servers and default gateway entries, guess where the attacker would point these unsuspecting users? All the MITM attacks are now possible SECURITY INNOVATION ©2003
PVLANs Work Drop PacketPrivate VLAN Attacks I Attacker Mac:A IP:1 Victim Mac:B IP:2 Router Mac:C IP:3 Promiscuous Port Isolated port S:A1 D:B2 X PVLANs Work Drop Packet SECURITY INNOVATION ©2003
Private VLAN Attacks IIPromiscuous Port Isolated port Attacker Mac:A IP:1 PVLANs Work Drop Packet Router Mac:C IP:3 S:A1 D:C2 Victim Mac:B IP:2 S:A1 D:B2 S:A1 D:B2 S:A1 D:B2 Routers Route: Forward Packet Only allows unidirectional traffic (Victim will ARP for A and fail) If both hosts were compromised, setting static ARP entries for each other via the router will allow bi-directional traffic Most firewalls will not forward the packet like a router This is not a PVLAN vulnerability as it enforces the rules! SECURITY INNOVATION ©2003
PVLAN Attack MitigationSetup ACL on ingress router port: All known PVLAN exploits will now fail VLAN ACL could also be used SECURITY INNOVATION ©2003
Multicast Brute-Force Failover AnalysisNice Try M-cast Send random Ethernet multicast frames to a switch interface attempting to get frames to another VLAN SECURITY INNOVATION ©2003
Random Frame Stress AttackNice Try Frame Send random frames to a switch interface attempting to get frames to another VLAN SECURITY INNOVATION ©2003
Switch Management Management can be your weakest linkAll the great mitigation techniques we talked about arent worth much if the attacker telnets into your switch and disables them Most of the network management protocols are insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.) Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.). Where impossible, consider out of band management. Always use a dedicated VLAN ID for all trunks Be paranoid: do not use VLAN 1 for anything Set all user ports to non trunking SECURITY INNOVATION ©2003
Hacking Cisco Cisco Bugtraq Vulnerabilities 1998 - 3 1999 - 5 2002 (est) SECURITY INNOVATION ©2003
Hacking Routers Example Exploits: HTTP Authentication Vulnerabilityusing a URL of where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. NTP Vulnerability By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon SNMP Parsing Vulnerability Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not protect the device SECURITY INNOVATION ©2003
When a router is hacked it allows an attacker toHacking Routers When a router is hacked it allows an attacker to DoS or disable the router & network… Compromise other routers… Bypass firewalls, IDS systems, etc… Monitor and record all outgoing an incoming traffic… Redirect whatever traffic they desire… SECURITY INNOVATION ©2003
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Secure LAN Switching Layer 2 security Introduction Port-level controls
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
S7C5 – Spanning Tree Protocol And other topics. Switch Port Aggregation Bundling –Combining 2 to 8 links of FE (Fast Ethernet) or GE (Gigabit) Full duplex.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Switching in an Enterprise Network Introducing Routing and Switching in the.
– Chapter 5 – Secure LAN Switching
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Mitigating Layer 2 Attacks
Chapter-5 STP. Introduction Examine a redundant design In a hierarchical design, redundancy is achieved at the distribution and core layers through additional.
CCNA Security v2.0 Chapter 6: Securing the Local Area Network.
Layer 2 Switch Layer 2 Switching is hardware based. Uses the host's Media Access Control (MAC) address. Uses Application Specific Integrated Circuits.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
VLAN Trunking Protocol (VTP) W.lilakiatsakun. VLAN Management Challenge (1) It is not difficult to add new VLAN for a small network.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Switching Topic 2 VLANs. Agenda VLANs – Benefits – Components – Trunking and 802.1q – VLAN types – VLAN operations – VLAN modes – Voice VLAN – DTP – Troubleshooting.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
COEN 252: Computer Forensics Router Investigation.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Switching in an Enterprise Network
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
Bypass a VPN, ACL, and VLAN ECE 4112 Alaric Craig and Pritesh Patel.
(part 3). Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Example STP runs on bridges and switches that are 802.1D-compliant. There are different flavors of STP, but 802.1D is the most popular and widely implemented.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
Part 2: Preventing Loops in the Network
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Sem1 - Module 8 Ethernet Switching. Shared media environments Shared media environment: –Occurs when multiple hosts have access to the same medium. –For.
Lecture3 Secured Network Design W.Lilakiatsakun. Spanning Tree Protocol (STP) Attack on Spanning Tree Protocol Topics.
IEEE 802.1q - VLANs Nick Poorman.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs.
Lecture2 Secured Network Design W.Lilakiatsakun. ARP Problems with ARP / Countermeasures VLAN Attacking on VLAN / Countermeasures Topics.
CN2668 Routers and Switches (V2) Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
1 LAN switching and Bridges Relates to Lab Outline Interconnection devices Bridges/LAN switches vs. Routers Bridges Learning Bridges Transparent.
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
© 2017 SlidePlayer.com Inc. All rights reserved.