Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September.

Published byRoderick Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE)

2 The Hotel Area Network Dilemma About 1 year ago, sitting in a hotel room in Washington D.C. –“Free” Wireless Internet starts working intermittently –Users start complaining of Facebook posts they didn’t make Fire up IDS toolkit –IDS doesn’t see anything happening at Layer 3 –IPS isn’t seeing any attacks against the hotel either What’s happening? –As incident responders, need the ability to quickly write tools to parse data… in this case, Layer 2 traffic SANS Technology Institute - Candidate for Master of Science Degree 2

3 3 Cam-Table Exhaustion Attack CAM Table maintains a list of switch ports and destination MAC addresses by port Overloading the switch with CAM Table entries results in overflowing memory. Switch no longer knows how to deliver based on MAC-port bindings

4 SANS Technology Institute - Candidate for Master of Science Degree 4 Cam-Table Exhaustion Attack 1 1 2 2 3 3 4 4

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Arp Spoofing ARP translates layer 3 to layer 2 addresses Clients maintain their own ARP tables of these logical-to-physical bindings But anyone can broadcast a gratuitous ARP and client tables are updated

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Arp Spoofing 1 1 2 2 3 3 4 4

7 SANS Technology Institute - Candidate for Master of Science Degree 7 DHCP Starvation Attack Dynamic IP addresses are leased from a DHCP server after a request by a client. The lease allows the client to use the specified address for a period of time. By sending 254 DHCP Requests, a DHCP starvation attack prevents any new clients from joining

8 SANS Technology Institute - Candidate for Master of Science Degree 8 DHCP Starvation Attack 1 1 2 2 3 3 4 4

9 SANS Technology Institute - Candidate for Master of Science Degree 9 CTS/RTS Wireless Attack Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions Clients wishing to send traffic, transmit a RTS. If the medium is clear, destination responds with a CTS. Everybody else who hears the CTS- backs off.

10 SANS Technology Institute - Candidate for Master of Science Degree 10 CTS/RTS Wireless Attack 1 1 2 2 3 3 4141 4141

11 SANS Technology Institute - Candidate for Master of Science Degree 11 Wireless Deauth Attack Clients authenticate themselves to access points prior to association with the network Authentication typically occurs over unencrypted layer 2 management frames De-authentication also occurs over unencrypted layer 2 management frames Tools such as aircrack-NG can spoof a de- authentication

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Wireless Deauth Attack 1 1 2 2 3 3 4 4

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Fake Access Point Attack Wireless access points are advertised over an 802.11 beacon frame Clients use the information in the 802.11 beacon frame to connect to the wireless AP Anyone can broadcast an 802.11 beacon, impersonating a network Combined with tools like karmetasploit, an attacker can instantly attack a client that joins a fake AP.

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Fake Access Point Attack 1 1 2 2 3 3 4 4 5 5

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Conclusions Layer two attacks still present a threat to modern networks Typically these threats go unnoticed by intrusion detection systems Scapy and a little creativity can be used to automate detecting layer two attacks For more information, see “Detecting and Responding to Data Link Layer Attacks” published in SANS GCIA Reading Room

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Subnetting.

Subnetting.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.

Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
1 Chapter Overview Network devices. Hubs Broadcast For star topology Same as a repeater Operate at the physical layer 2.

1 Chapter Overview Network devices. Hubs Broadcast For star topology Same as a repeater Operate at the physical layer 2.
Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
Network Components 101 Travis Hill.

Network Components 101 Travis Hill.
SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree

Similar presentations

Ads by Google