FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Slides:

Advertisements

Similar presentations

Mitigating Layer 2 Attacks

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

,< 資管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

1 27-Jun-15 S Ward Abingdon and Witney College VLAN Trunking protocol CCNA Exploration Semester 3 Chapter 4.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Bridging III.

Securing the Local Area Network

1 K. Salah Module 4.3: Repeaters, Bridges, & Switches Repeater Hub NIC Bridges Switches VLANs GbE.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Speaker 2006/XX/XX Speaker 2007/XX/XX IGMP Snooping CK NG Technical Marketing.

Secure LAN Switching Layer 2 security Introduction Port-level controls

– Chapter 5 – Secure LAN Switching

Network Admin Course Plan Accede Institute Of Science & Technology.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

Campus Networking Best Practices Hervey Allen NSRC & University of Oregon Dale Smith University of Oregon & NSRC

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Chapter 6: Securing the Local Area Network

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.

Protecting Multicast- Enabled Networks Matthew Davy Indiana University Matthew Davy Indiana University.

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Internet Protocols Overview.

1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Address Resolution Protocol (ARP)

Cisco Implementing Cisco IP Switched Networks (SWITCH )

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.

Chapter 05 Exam Review CCNA Discovery 01 – Computer and Network Fundamentals Presented by: Phillip Place Cisco Academy Instructor Lake Michigan College.

© 2003, Cisco Systems, Inc. All rights reserved.

Instructor Materials Chapter 5: Network Security and Monitoring

Exploiting Layer 2 By Balwant Rathore.

Layer 2 Attacks and Security

MAC Address Tables on Connected Switches

Instructor Materials Chapter 5: Ethernet

Address Resolution Protocol (ARP)

Adddress Resolution Protocol (ARP)

– Chapter 5 – Secure LAN Switching

Chapter 5: Network Security and Monitoring

Network Security and Monitoring

CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.

Address Resolution Protocol (ARP)

Sécurisation au niveau 2 pour certains matériels Cisco

DHCP: Dynamic Host Configuration Protocol

Computer Networks Protocols

Chapter 5: Link Layer 5.1 Introduction and services

Presentation transcript:

FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL 60604

FIRST TC 2002 John Kristoff - DePaul University 1 Agenda Overview Theoretical and example attacks How to resist (if possible) local network attacks References Tools

FIRST TC 2002 John Kristoff - DePaul University 1 Overview Local network attacks target an internal network Some attacks can be launched remotely Most do not monitor or guard against local attacks Ultimately everything is a physical security problem

FIRST TC 2002 John Kristoff - DePaul University 1 Theoretical and Example Attacks ARP LAN Bridge/Switch Routing DHCP Multicast Other

FIRST TC 2002 John Kristoff - DePaul University 1 ARP-based Attacks ARP request spoofing Responders to a request cache the sender's info As do others who already have the sender's info ARP update spoofing (gratutious ARP) Thinking out loud: Is UNARP widely used? Can we attack with it? Can we poison ARP entries to = group address?

FIRST TC 2002 John Kristoff - DePaul University 1 Preventing ARP-based Attacks Use LAN switches with one port per end host Enable port security to limit source MAC addresses Use 802.1x port authentication Enable (get) knobs on end hosts to validate ARPs How to best do this? Monitor LAN bridge/switch address tables Monitor router ARP tables Keep history of address/ARP tables FYI... vendors must support knobs (at line rate)

FIRST TC 2002 John Kristoff - DePaul University 1 LAN Bridge/Switch Attacks Overflow MAC address tables to cause flooding Typical gear can hold a few thousand addresses MAC addresses = 48 bits or >> a few thousand Spoof spanning tree BPDU messages Take over as root/designated bridge Cause continuous topology recomputations Forge VLAN, priority or aggregation tags Spoof PAUSE (flow control) frames (gig only)

FIRST TC 2002 John Kristoff - DePaul University 1 Preventing LAN Bridge Attacks Monitor MAC address tables Manually set root bridge and monitor Use knobs like Cisco's BPDU and Root Guard Manually set and prune trunked switch ports Use 802.1x port authentication

FIRST TC 2002 John Kristoff - DePaul University 1 Routing Attacks Route injection Route monitoring Route redirection Route process DDoS attack Note, other types of local attacks may target routers

FIRST TC 2002 John Kristoff - DePaul University 1 Preventing Routing Attacks Strongly authenticate all routing updates/packets Listen/send routing packets where there are routers Protect processes and access (ports, IPs, physical) Monitor routing Table size (especially changes over time) Checksum values and LSA counts in OSPF Flaps, deaggreation, traffic patterns Build baseline network map (ala Ches's netmapper)

FIRST TC 2002 John Kristoff - DePaul University 1 DHCP Attacks Spoof DHCP requests Spoof DHCP replies (or be a rogue DHCP server) Thinking out loud: Can we spoof DHCP releases?

FIRST TC 2002 John Kristoff - DePaul University 1 Preventing DHCP Attacks Monitor DHCP discover/lease activity Monitor DHCP discovers, requests and offers Clients broadcast request, contains server IP Can monitor DHCP packets and contents at: DHCP servers Router edges Use intra-VLAN knobs (e.g. Cisco's intra-VACL)

FIRST TC 2002 John Kristoff - DePaul University 1 Multicast Attacks Spoof IGMP queries and take over as Querier Spoof IGMP reports (joins) There are /4 IP multicast groups Spoof or simply generate group traffic Thinking out load: Can a default querier(s) be configured on hosts? Ala DHCP option or just set to default gw How to better authenticate group participation? Will we see intentional multicast based attacks?

FIRST TC 2002 John Kristoff - DePaul University 1 Preventing Multicast Attacks Monitor IGMP querier on router edges Monitor IP multicast group usage on edges Monitor IP multicate routing state changes Heavily filter IP multicast group state, allow just: / / /14 (internal only if used) 233.xx.yy.0/8 (GLOP space) Then filter out bogus groups in above ranges

FIRST TC 2002 John Kristoff - DePaul University 1 Other Attacks HSRP/VRRP - use MD5 auth and/or IPSEC Wireless - better authentication needed! See my first-teams post about finding APs ICMP redirect, SQ, router adv. - easily fixed Time sync - who is getting time from who? IPv6 - potential problems with discovery/autoconf?

FIRST TC 2002 John Kristoff - DePaul University 1 References Layer 2 Attacks and Their Mitigation, Cisco Networkers 2002 presentation or Hacking Layer 2: Fun with Ethernet Switches, Blackhat 2002 Directed IGMP Report vulnerability: Making Multicast Hard (How to ward off DOS & other threats), Marshall Eubanks, IETF 51 Gigabit Ethernet and The Switch Book, both by Rich Seifert

FIRST TC 2002 John Kristoff - DePaul University 1 Tools Cammer from Tobias Oetiker (MRTG/RRDTool) At ARPTrack cislog RouteCheck I hope to do more (particularly multicast related) We also have an unreleased AP MAC/IP tracker