Layer 2 Attacks and Security PresentationID 2006 Cisco
- Slides: 26
Layer 2 Attacks and Security Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
MAC Attacks § MAC Flooding overflows the switch MAC address table (CAM) forcing the switch to forward frames to all ports on a VLAN (much like a hub) § MACOF tool generates random MAC/IP address combinations in order to overflow the CAM table Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
MAC Security § Port Security limits the number of MAC addresses that can be learned on a single port, preventing MAC flooding § Learning MAC static – manually configured, saved in startup config (copy run start) sticky – automatically learned, added to running config, (saved w/copy run start) dynamic – automatically learned, not saved § MAC counters – number of MACs allowed timers – how long to remember MAC(s) § Violation actions protect – drop traffic from unknown MACs when over limit restrict – drop traffic from unknown MACs when over limit and send alarm shutdown – shutdown port with errdisable Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
No Port Security Enabled: interface Gigabit. Ethernet 1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate spanning-tree portfast Before MACOF attack: Layer 2 -Switch#sh mac address-table count Mac Entries for Vlan 10: -------------Dynamic Address Count : 1 Static Address Count : 1 Total Mac Addresses : 2 Total Mac Address Space Available: 6078 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
After MACOF attack: Layer 2 -Switch#sh mac address-table count Mac Entries for Vlan 10: -------------Dynamic Address Count : 6079 Static Address Count : 1 Total Mac Addresses : 6080 Total Mac Address Space Available: 0 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Port Security Enabled: interface Gigabit. Ethernet 1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport-security maximum 3 switchport-security aging time 2 switchport-security violation restrict switchport-security aging type inactivity spanning-tree portfast Before MACOF attack: Layer 2 -Switch#sh port-security Secure Port Max. Secure. Addr Current. Addr Security. Violation Security Action (Count) -------------------------------------Gi 1/0/1 3 1 0 Restrict Gi 1/0/2 3 0 0 Restrict -------------------------------------Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6272 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
During and After MACOF attack: Layer 2 -Switch#sh mac address-table count Mac Entries for Vlan 10: -------------Dynamic Address Count : 1 Static Address Count : 4 Total Mac Addresses : 5 Total Mac Address Space Available: 6075 Layer 2 -Switch#sh port-security Secure Port Max. Secure. Addr Current. Addr Security. Violation Security Action (Count) -------------------------------------Gi 1/0/1 3 3 67556 Restrict Gi 1/0/2 3 0 0 Restrict -------------------------------------Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6272 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
DHCP Attacks § DHCP Starvation is a DOS attack which prevents valid hosts from getting Dynamic IP configuration § A Rogue DHCP server is used to pass invalid IP configuration information to valid hosts Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
DHCP Security § DHCP Exhaustion can be prevented with the same port security measures used to protect against MAC flooding § Rogue DHCP servers can be eliminated with the use of DHCP Snooping where all DHCP request and replies are tracked and rate limited § Valid DHCP server ports must be ‘trusted’ Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
ARP Attacks § ARP Poisoning is used to alter ARP entries in a switch and on hosts § This allows an attacker to send gratuitous ARP replies redirecting traffic from hosts on the VLAN through his machine Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
ARP Security § Dynamic ARP Inspection (DAI) is used to prevent ARP poisoning § DAI uses information in the DHCP snooping table to ensure invalid ARP packets are dropped and ARP packets are rate limited § With both DHCP snooping and DAI static entries can be built for non-DHCP devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
No DAI Enabled: Before ARP poisoning: PC: C: >arp -a Interface: 1. 1. 1. 3 --- 0 x 10003 Internet Address Physical Address Type 1. 1 00 -14 -69 -f 2 -04 -41 dynamic 1. 1. 1. 2 00 -14 -22 -b 4 -98 -6 f dynamic 1. 1. 1. 254 00 -11 -20 -27 -a 6 -c 0 dynamic Switch: Layer 2 -Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 1. 1 - 0014. 69 f 2. 0441 ARPA Vlan 10 Internet 1. 1. 1. 3 2 0006. 5 b 17. 9900 ARPA Vlan 10 Internet 1. 1. 1. 254 0 0011. 2027. a 6 c 0 ARPA Vlan 10 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
During ARP poisoning: PC: C: >arp -a Interface: 1. 1. 1. 3 --- 0 x 10003 Internet Address Physical Address Type 1. 1 00 -14 -22 -b 4 -98 -6 f dynamic 1. 1. 1. 254 00 -14 -22 -b 4 -98 -6 f dynamic Switch: Layer 2 -Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 1. 1 - 0014. 69 f 2. 0441 ARPA Vlan 10 Internet 1. 1. 1. 3 0 0014. 22 b 4. 986 f ARPA Vlan 10 Internet 1. 1. 1. 254 0 0014. 22 b 4. 986 f ARPA Vlan 10 Telnet Example from Ettercap: TELNET: 1. 1: 23 -> USER: admin PASS: cisco Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
DAI Enabled: ip dhcp snooping vlan 10 ip dhcp snooping database flash: dhcpsnooping. db ip dhcp snooping ip arp inspection vlan 10 ip arp inspection validate src-mac dst-mac ip ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 interface Gigabit. Ethernet 1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport-security maximum 3 switchport-security aging time 2 switchport-security violation restrict switchport-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip verify source ip dhcp snooping limit rate 25 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
During ARP poisoning: PC: C: >arp -a Interface: 1. 1. 1. 3 --- 0 x 10003 Internet Address Physical Address Type 1. 1 00 -14 -69 -f 2 -04 -41 dynamic 1. 1. 1. 2 00 -14 -22 -b 4 -98 -6 f dynamic 1. 1. 1. 254 00 -11 -20 -27 -a 6 -c 0 dynamic Switch: Layer 2 -Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 1. 1 - 0014. 69 f 2. 0441 ARPA Vlan 10 Internet 1. 1. 1. 3 0 0006. 5 b 17. 9900 ARPA Vlan 10 Internet 1. 1. 1. 2 4 0014. 22 b 4. 986 f ARPA Vlan 10 Internet 1. 1. 1. 254 3 0011. 2027. a 6 c 0 ARPA Vlan 10 Layer 2 -Switch#sh log 1 d 00 h: %SW_DAI-4 -DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi 1/0/1, vlan 10. ([0014. 22 b 4. 986 f/1. 1. 1. 3/0011. 2027. a 6 c 0/1. 1. 1. 254/00: 14: 53 UTC Tue Mar 2 1993]) 1 d 00 h: %SW_DAI-4 -DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi 1/0/1, vlan 10. ([0014. 22 b 4. 986 f/1. 1. 1. 254/0006. 5 b 17. 9900/1. 1. 1. 3/00: 14: 53 UTC Tue Mar 2 1993]) 1 d 00 h: %SW_DAI-4 -DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi 1/0/1, vlan 10. ([0014. 22 b 4. 986 f/1. 1/0011. 2027. a 6 c 0/1. 1. 1. 254/00: 14: 53 UTC Tue Mar 2 1993]) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Spoofing Attacks § MAC Spoofing § IP Spoofing § Spoofing is a method of using the MAC or IP address of another device and then assuming the privilege level of that device Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Spoofing Security § IP Source Guard prevents both MAC and IP address spoofing using info from the DHCP snooping table § Preventing MAC spoofing requires specific option 82 to be assigned by DHCP server (Cisco Registrar, Cisco IOS and Avaya DHCP server can do this) § Preventing IP spoofing has no other requirements and is configured per port Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
No IP Source Guard Enabled: interface Gigabit. Ethernet 1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport-security maximum 3 switchport-security aging time 2 switchport-security violation restrict switchport-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip dhcp snooping limit rate 25 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Debug of IP spoofing attack: Layer 2 -Switch#debug ip icmp ICMP packet debugging is on Layer 2 -Switch# From attacker machine (1. 1. 1. 2) not spoofing: nemesis icmp -S 1. 1. 1. 2 -D 1. 1 On Switch: Layer 2 -Switch# 1 d 00 h: ICMP: echo reply sent, src 1. 1, dst 1. 1. 1. 2 From attacker machine (1. 1. 1. 2) spoofing 10. 48. 1. 1: nemesis icmp -S 10. 48. 1. 1 -D 1. 1 On Switch: Layer 2 -Switch# 1 d 00 h: ICMP: echo reply sent, src 1. 1, dst 10. 48. 1. 1 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
IP Source Guard Enabled: interface Gigabit. Ethernet 1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport-security maximum 3 switchport-security aging time 2 switchport-security violation restrict switchport-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip verify source ip dhcp snooping limit rate 25 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Debug of IP spoofing attack: Layer 2 -Switch#debug ip icmp ICMP packet debugging is on Layer 2 -Switch# From attacker machine (1. 1. 1. 2) not spoofing: nemesis icmp -S 1. 1. 1. 2 -D 1. 1 On Switch: Layer 2 -Switch# 1 d 00 h: ICMP: echo reply sent, src 1. 1, dst 1. 1. 1. 2 From attacker machine (1. 1. 1. 2) spoofing 10. 48. 1. 1: nemesis icmp -S 10. 48. 1. 1 -D 1. 1 On Switch: [nothing] Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Other Notables § HSRP/GLBP Authentication § Routing Protocol Authentication § Storm Control Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Secure socket layer and transport layer security
- Karmetasploit
- Layer 2 attacks
- Layer 2 security
- Security attacks services and mechanisms
- Security private
- Fig 19
- Chemical digestion
- Presentation layer functions
- Layer 2 e layer 3
- Layer-by-layer assembly
- Layer 2 vs layer 3 bitstream
- Explain pgp scenarios for application layer security
- Malicious attacks threats and vulnerabilities
- Cache attacks and countermeasures: the case of aes
- Computer network vulnerabilities
- Wireless transport layer security
- Multiplexed transport layer security
- Multiplexed transport layer security
- Cisco machine learning security
- Cisco isa 3000
- Cisco advanced services security
- Cisco rv220w network security firewall price
- Cisco firepower ransomware