Network Security
Network SecurityCS 6823 Layer 2 Security
Phillip [email protected] material within was originally
presented at Cisco Networkers Live Conference 2008-2009. Modified
since.CS 6823 - Network SecurityLayer 2 SecurityCAM Table Overflow
AttackVLAN Hopping AttacksBasic VLAN HoppinhDouble TaggingDHCP
AttacksDHCP Address StarvationRogue DHCP ServerARPSpoofingSpanning
Tree Protocol
2Layer 2 Switch Security3Why Worry About Layer 2 Security?OSI
was built to allow different layers to work without the knowledge
of each other
4Host BHost APhysical LinksMAC AddressesIP
AddressesProtocols/PortsApplication
StreamApplicationPresentationSessionTransportNetworkData
LinkPhysicalApplicationPresentationSessionTransportNetworkData
LinkPhysicalLower Levels Affect Higher LevelsThis means if one
layer is hacked, communications are compromised without the other
layers being awareSecurity is only as strong as the weakest
linkLayer 2 can be VERY weak5POP3, IMAP, IM, SSL, SSHPhysical
LinksIP AddressesProtocols/PortsInitial CompromiseApplication
StreamCompromisedApplicationPresentationSessionTransportNetworkData
LinkPhysicalApplicationPresentationSessionTransportNetworkData
LinkPhysicalMAC Attacks6MAC Address CAM TableCAM table stands for
Content Addressable MemoryThe CAM table stores the mapping of MAC
addresses to the physical interface, and associated VLAN
parameters. the . All CAM tables have a fixed
size70000.0cXX.XXXX48-Bit Hexadecimal Number Creates Unique Layer
Two Address1234.5678.9ABCFirst 24-Bits = Manufacture Code Assigned
by IEEESecond 24-Bits = Specific Interface, Assigned by
Manufacture0000.0cXX.XXXXAll Fs = BroadcastFFFF.FFFF.FFFFNormal CAM
Behavior 1/38MAC APort 1Port 2Port 3MACPortA1
C3
ARP for BARP for B ARP for BB Is Unknown Flood the Frame
MAC B
MAC CNormal CAM Behavior 2/39MAC APort 1Port 2Port 3MACPortA1
C3
A is on Port 1LEARNB is on Port 2
MAC B
MAC CB 2I Am MAC BI Am MAC BNormal CAM Behavior 3/310MAC APort
1Port 2Port 3MACPortA1
C3
Traffic A -> BTraffic A-> BB Is on Port 2
MAC B
MAC CDoes Not See Traffic to BB 2CAM Overflow Attack11MAC AMAC
BMAC CPort 1Port 2Port 3MACPortA1B2C3
I Am MAC YY Is on Port 3Z Is on Port 3Y3Z3I Am MAC ZTraffic A
BCAM Table Now FullSwitch acts like hubI See Traffic to BTraffic A
B Traffic A B
ARP Reply FloodingCountermeasures for MAC Attacks: Port
Security12
SolutionPort security limits MAC flooding attack and locks down
port and sends an SNMP trapMay need to allow multiple MAC address
on a port, say, for IP
Phones00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb132,000 Bogus MACsOnly One
MAC Addresses Allowed on the Port: Shutdown
Port Security Limits the Amount of MACs on an Interface
Port SecurityIn the past you would have to type in the only MAC
you were going to allow on that portYou can now put a limit on how
many MAC addresses a port will learnYou can also put timers in to
state how long the MAC address will be bound to that switch portCAM
Aging typical aging time is 5 minutesYou might still want to do
static MAC entries on ports that there should be no movement of
devices, such as in server farms13VLAN Hopping Attacks14Basic Trunk
Port Defined15
VLAN 10VLAN 20VLAN 10VLAN 20Trunk with: Native VLANVLAN 10VLAN
20Trunk ports have access to all VLANs by defaultUsed to route
traffic for multiple VLANs across the same physical link (generally
between switches or phones)Encapsulation can be 802.1q or ISLBasic
VLAN Hopping Attack: Switch Spoofing16An end station can spoof as a
switch with ISL or 802.1qThe station is then a member of all
VLANsRequires a trunking configuration of the native VLAN to be
VLAN 1
VLAN 10VLAN 20VLAN 10Trunk with:Native VLANVLAN 10VLAN 20Trunk
with: Native VLANVLAN 10VLAN 20Double 802.1q Encapsulation VLAN
Hopping Attack17Send 802.1q double encapsulated framesSwitch
performs only one level of decapsulationUnidirectional traffic
onlyWorks even if trunk ports are set to off
802.1q,802.1qStrip Off First, and Send Back Out802.1q
FrameFrame
src macdst mac810008005810096data1st tag2nd tagMitigations for
VLANs and Trunking AttacksExplicitly set the VLAN IDs used on a
trunk port
Do not use VLAN 1 for user traffic as management traffic
requires VLAN 1
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Require all VLANs to be tagged on trunks18DHCP Attacks19DHCP
FunctionDHCP Server
ClientDHCP Discover (Broadcast)DHCP Offer (Unicast)DHCP Request
(Broadcast)DHCP Ack (Unicast)
IP Address: 10.10.10.101Subnet Mask: 255.255.255.0Default
Routers: 10.10.10.1DNS Servers: 192.168.10.4, 192.168.10.5Lease
Time: 10 daysServer dynamically assigns IP address on
demandAdministrator creates pools of addresses available for
assignment Address is assigned with lease timeDHCP delivers other
configuration information in optionsDHCP Function: Lower
LevelTransaction ID (XID)OP CodeHardwareTypeHardwareLengthHOPSYour
IP Address (YIADDR)SecondsClient IP Address (CIADDR)Server IP
Address (SIADDR)Gateway IP Address (GIADDR)FlagsServer Name
(SNAME)64 BytesFilename128 BytesDHCP OptionsClient Hardware Address
(CHADDR)16 BytesIPv4 DHCP Packet FormatDHCP Attack Types - DHCP
Starvation AttackGobbler/DHCPx looks at the entire DHCP scope and
tries to lease all of the DHCP addresses available in the DHCP
scopeThis is a Denial of Service DoS attack using DHCP leasesDHCP
Discovery (Broadcast) x (Size of Scope)DHCP Offer (Unicast) x (Size
of DHCPScope)DHCP Request (Broadcast) x (Size of Scope)DHCP Ack
(Unicast) x (Size of Scope)ClientGobbler
DHCPServer
Countermeasures for DHCP AttacksDHCP Starvation Attack = Port
SecurityGobbler uses a new MAC address to request a new DHCP
leasePort security - Restrict the number of MAC addresses on a
portWill not be able to lease more IP address then MAC addresses
allowed on the portIn the example the attacker would get one IP
address from the DHCP serverClientGobblerDHCPServer
DHCP Attack Types - Rogue DHCP Server
AttackClientDHCPServerRogue Server or Unapproved
DHCP Discovery (Broadcast)DHCP Offer (Unicast) from Rogue
ServerDHCP Request (Broadcast)DHCP Ack (Unicast) from Rogue
Server
DHCP Attack Types -Rogue DHCP Server AttackWhat can the attacker
do if he is the DHCP server?IP Address: 10.10.10.101Subnet Mask:
255.255.255.0Default Routers: 10.10.10.1DNS Servers: 192.168.10.4,
192.168.10.5Lease Time: 10 daysHere Is Your ConfigurationWhat do
you see as a potential problem with incorrect information?Wrong
default gatewayAttacker is the gatewayWrong DNS serverAttacker is
DNS server Wrong IP addressAttacker does DOS with incorrect IP
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP
SnoopingEnable "DHCP Snooping" feature on switchSet interface on
the DHCP server to be trustedDisable trust on other interfacesLimit
the rate of DHCP request from client
DHCP Snooping is supported on most higher-end
routers/switchesClientDHCPServerRogue Server
TrustedUntrustedUntrustedDHCP Snooping-Enabled BAD DHCP
Responses:offer, ack, nakOK DHCP Responses: offer, ack, nak
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP
SnoopingTable is built by snooping the DHCP reply to the
clientEntries stay in table until DHCP lease time
expiresClientDHCPServerRogue Server
TrustedUntrustedUntrustedDHCP Snooping-EnabledDHCP Snooping
Binding Table
sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type
VLAN Interface------------------ --------------- ----------
------------- ---- --------------------00:03:47:B5:9F:AD
10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
BAD DHCP Responses:offer, ack, nakOK DHCP Responses: offer, ack,
nak
Advanced Configuration DHCP SnoopingGobbler uses a unique MAC
for each DHCP request and port security prevents GobblerWhat if the
attack used the same interface MAC address, but changed the client
hardware address in the request?Port security would not work for
that attackThe switches check the CHADDR field of the request to
make sure it matches the hardware MAC in the DHCP snooping binding
tableIf there is not a match, the request is dropped at the
interfaceTransaction ID (XID)OP
CodeHardwareTypeHardwareLengthHOPSYour IP Address
(YIADDR)SecondsClient IP Address (CIADDR)Server IP Address
(SIADDR)Gateway IP Address (GIADDR)FlagsServer Name (SNAME)64
BytesFilename128 BytesDHCP OptionsClient Hardware Address
(CHADDR)16 BytesNote: Some switches have this on by default, and
others dont; please check the documentation for settingsDHCP Rogue
ServerIf there are switches in the network that will not support
DHCP snooping, you can configure VLAN ACLs to block UDP port 68Will
not prevent the CHADDR DHCP starvation attack
ClientDHCPServerRogue Server or Unapproved
DHCP Discovery (Broadcast) Port 67DHCP Offer (Unicast) Port
68DHCP Offer Port 68Summary of DHCP AttacksDHCP starvation attacks
can be mitigated by port securityRogue DHCP servers can be
mitigated by DHCP snooping featuresWhen configured with DHCP
snooping, all ports in the VLAN will be untrusted for DHCP
repliesCheck default settings to see if the CHADDR field is being
checked during the DHCP requestUnsupported switches can run ACLs
for partial attack mitigation (can not check the CHADDR field)ARP
Attacks31ARP Function ReviewBefore a station can talk to another
station it must do an ARP request to map the IP address to the MAC
addressThis ARP request is broadcast using protocol 0806All
computers on the subnet will receive and process the ARP request;
the station that matches the IP address in the request will send an
ARP reply
Who Is 10.1.1.4?I Am 10.1.1.4MAC AIPv6 attack tools for neighbor
SEC-2003ARP Function ReviewAccording to the ARP RFC, a client is
allowed to send an unsolicited ARP reply; this is called a
gratuitous ARP; other hosts on the same subnet can store this
information in their ARP tablesAnyone can claim to be the owner of
any IP/MAC address they likeARP attacks use this to redirect
traffic
You Are 10.1.1.1MAC AI Am 10.1.1.1MAC AYou Are 10.1.1.1MAC AYou
Are 10.1.1.1MAC AARP Request/Reply Example34Who has [B IP]? Tell [A
IP]Ethernet HeaderDst MAC: (ff:ff:ff:ff:ff:ff)Src MAC: [As MAC]ARP
HeaderType: RequestSender MAC: [As MAC]Sender IP: [As IP]Target
MAC: 00:00:00:00:00:00Target IP: [Bs IP][Bs IP] is at [Bs
MAC]Ethernet HeaderDst MAC: [As MAC]Src MAC: [Bs MAC]If gratuitous:
ff:ff:ff:ff:ff:ffARP HeaderType: ReplySender MAC: [Bs MAC]Sender
IP: [Bs IP]Target MAC: [As MAC]If gratuitious:
ff:ff:ff:ff:ff:ffTarget IP: [As IP]ARP Attack ToolsMany tools on
the net for ARP man-in-the-middle attacksDsniff, Cain & Abel,
ettercap, Yersinia, etc.ettercap:
http://ettercap.sourceforge.net/index.phpDecodes passwords on the
flyMost have a very nice GUI, and is almost point and clickPacket
insertion, many to many ARP attackAll of them capture the
traffic/passwords of common applications SSL/SSH sessions can be
intercepted and bogus certificate credentials can be presented to
perform MITM attack
ARP Attack in ActionAttacker poisons the ARP tables 10.1.1.1MAC
A10.1.1.2MAC B10.1.1.3MAC C10.1.1.2 Is Now MAC C10.1.1.1 Is Now MAC
CARP 10.1.1.1 Saying 10.1.1.2 Is MAC C
ARP 10.1.1.2 Saying 10.1.1.1 Is MAC C
ARP Attack in ActionAll traffic flows through the
attackerTransmit/ReceiveTraffic to10.1.1.1 MAC CTransmit/Receive
Traffic to 10.1.1.2 MAC C10.1.1.2MAC B10.1.1.3MAC C10.1.1.2 Is Now
MAC C10.1.1.1 Is Now MAC C10.1.1.1MAC A10.1.1.2 Is Now MAC B
ARP Attack Clean UpAttacker corrects ARP tables entriesTraffic
flows return to normal10.1.1.1 Is Now MAC AARP 10.1.1.1 Saying
10.1.1.2 Is MAC BARP 10.1.1.2 Saying 10.1.1.1 Is MAC A10.1.1.2MAC
B10.1.1.3MAC C10.1.1.1MAC ACountermeasures to ARP Attacks: Dynamic
ARP Inspection (DAI)Uses the DHCP snooping binding table
informationDynamic ARP inspectionAll ARP packets must match the
IP/MAC binding table entriesIf the entries do not match, throw them
in the bit bucket
Is This Is My Binding Table?NONone Matching ARPs in the Bit
Bucket10.1.1.1MAC A10.1.1.2MAC B10.1.1.3MAC CARP 10.1.1.1 Saying
10.1.1.2 Is MAC CARP 10.1.1.2 Saying 10.1.1.1 Is MAC C
DHCP Snooping- Enabled Dynamic ARP Inspection- Enabled
Countermeasures to ARP Attacks:Dynamic ARP InspectionFor Cisco
devices, DHCP snooping has to be configured so the binding table is
builtDAI is configured by VLANYou can trust an interface like DHCP
snooping
Looks at the MAC address and IP address fields to see if the ARP
from the interface is in the binding; if not, traffic is blockedsh
ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN
Interface------------------ --------------- ----------
------------- ---- --------------------00:03:47:B5:9F:AD
10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18Spoofing
Attacks41Spoofing AttacksMAC spoofing If MACs are used for network
access an attacker can gain access to the networkAlso can be used
to take over someones identity already on the network
IP spoofingPing of deathICMP unreachable stormSYN floodTrusted
IP addresses can be spoofedSpoofing Attack: MACAttacker sends
packets with the incorrect source MAC address If network control is
by MAC address, the attacker now looks like 10.1.1.210.1.1.1MAC
A10.1.1.2MAC B
10.1.1.3MAC CReceived TrafficSource Address10.1.1.3Mac BTraffic
Sent with MAC B Source
Spoofing Attack: IPAttacker sends packets with the incorrect
source IP address Whatever device the packet is sent to will never
reply to the attacker10.1.1.1MAC A10.1.1.2MAC B
10.1.1.3MAC CReceived TrafficSource IP10.1.1.2Mac CTraffic Sent
with IP 10.1.1.2Source
Spoofing Attack: IP/MACAttacker sends packets with the incorrect
source IP and MAC addressNow looks like a device that is already on
the network10.1.1.1MAC A10.1.1.2MAC B
10.1.1.3MAC CReceived TrafficSource IP10.1.1.2Mac BTraffic Sent
with IP10.1.1.2MAC B Source
Countermeasures to Spoofing Attacks:IP Source GuardUses the DHCP
snooping binding table informationIP Source GuardOperates just like
dynamic ARP inspection, but looks at every packet, not just ARP
packetIs This Is My Binding Table?NONonmatching Traffic
Dropped10.1.1.1MAC A10.1.1.3MAC CReceived Traffic Source IP
10.1.1.2Mac B10.1.1.3MAC CTraffic Sent withIP 10.1.1.3Mac BTraffic
Sent with IP 10.1.1.2 Mac C
10.1.1.2MAC BCountermeasures to Spoofing Attacks:IP Source
GuardUses the information from the DHCP snooping binding table
Looks at the MacAddress and IpAddress fields to see if the
traffic from the interface is in the binding table, it not, traffic
is blockedsh ip dhcp snooping bindingMacAddress IpAddress
Lease(sec) Type VLAN Interface------------------ ---------------
---------- ------------- ---- --------------------00:03:47:B5:9F:AD
10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18Countermeasures
to Spoofing Attacks:IP Source GuardDHCP snooping has to be
configured so the binding table it builtIP Source Guard is
configured by portIP Source Guard with MAC does not learn the MAC
from the device connected to the switch, it learns it from the DHCP
trafficDrawbacksNot supported on all hardwareResource intensive as
it inspects all packetsAttacks on other Protocols49Other
Protocols?Yersinia can help you with:
CDPDHCP802.1Q802.1XDTPHSRPSTPISLVTP
Spanning Tree BasicsSTP purpose: to maintain loop-free
topologies in a redundant Layer 2 infrastructure
STP is very simple; messages are sent using Bridge Protocol Data
Units (BPDUs); basic messages include: configuration, topology
change notification/acknowledgment (TCN/TCA); most have no
payload
Avoiding loops ensures broadcast traffic does not become stormsA
Tree-Like, Loop-Free Topology Is Established from the Perspective
of the Root BridgeA Switch Is Elected as RootRoot Selection Is
Based on the Lowest Configured Priority of Any Switch 065535X
Root
Access SwitchesRootXSTPSTPBlocked
Spanning Tree Attack ExampleSend BPDU messages to become root
bridge
Spanning Tree Attack ExampleSend BPDU messages to become root
bridgeThe attacker then sees frames he shouldntMITM, DoS, etc. all
possibleAny attack is very sensitive to the original topology,
trunking, PVST, etc.Although STP takes link speed into
consideration, it is always done from the perspective of the root
bridge; taking a Gb backbone to half-duplex 10 Mb was verified
Requires attacker is dual homed to two different switches (with a
hub, it can be done with just one interface on the attacking
host)Access SwitchesRootRootXBlocked
STP Attack MitigationEnable BPDU Guard on access portsBPDU Guard
disables the port upon BPDU receptionCalled BPDU Protection in
Juniper devicesDesign loop-free topologies where ever possible, so
you do not need STP (difficult due to redundancy reasons)Disable
ports using portfast upon detection of a BPDU message on the
portRoot GuardLimits which devices are allowed to be rootAllows a
device to participate in STP unless the device attempts to become
root bridge due to their BPDU advertisementConfigured on a per port
basis
