1.08k likes | 1.34k Views
Layer 2 Attack Landscape<br>Attacks and Countermeasures<br>‒ MAC Attacks<br>‒VLAN Hopping<br>‒ DHCP Attacks<br>‒ARP Attacks<br>‒Private VLANs<br>‒Spoofing Attacks<br>‒ General Attacks<br><br>Share by: https://stellahome.vn/apartment-for-rent/
E N D
Understanding and Preventing Layer 2 Attacks in an IPv4 Network BRKSEC-2202 Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda Layer 2 Attack Landscape Attacks and Countermeasures ‒MAC Attacks ‒VLAN Hopping ‒DHCP Attacks ‒ARP Attacks ‒Private VLANs ‒Spoofing Attacks ‒ General Attacks Summary Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Lower Levels Affect Higher Levels 7 layer OSI model. In most cases, if one layer is hacked, communications are compromised without the other layers being aware of the problem Security is only as strong as the weakest link When it comes to networking, Layer 2 can be a very weak link Application Stream Application Application POP3, IMAP, IM, SSL, SSH Compromised Presentation Presentation Session Session Protocols/Ports Transport Transport IP Addresses Initial Compromise Network Network Data Link Data Link Physical Links Physical Physical Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda Layer 2 Attack Landscape Attacks and Countermeasures ‒MAC Attacks ‒VLAN Hopping ‒DHCP Attacks ‒ARP Attacks ‒Private VLANs ‒Spoofing Attacks ‒General Attacks Summary Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
MAC Address/CAM Table Review 48-Bit Hexadecimal Number Creates Unique L2 Address 1234.5678.9ABC First 24-Bits = Manufacture Code Assigned by IEEE 0000.0cXX.XXXX Second 24-Bits = Specific Interface, Assigned by Manufacture 0000.0cXX.XXXX All Fs = Broadcast FFFF.FFFF.FFFF CAM table stands for Content Addressable Memory The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters All CAM tables have a fixed size Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Normal CAM Behavior (1/3) MAC A C Port 1 MAC B 3 Port 2 ARP for B Port 1 MAC A Port 3 MAC B Is Unknown— Flood the Frame MAC C Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Normal CAM Behavior (2/3) MAC A C Port 1 2 B 3 MAC B Port 2 Reply to MAC A Port 1 MAC A Port 3 Learn: B Is on Port 2 MAC C Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Normal CAM Behavior (3/3) MAC A B C Port 1 2 3 MAC B Traffic A B Port 2 Port 1 MAC A Port 3 B Is on Port 2 MAC C Does Not See Traffic to B Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
CAM Overflow—Tools (1/2) macof tool since 1999 ‒About 100 lines of perl ‒Included in “dsniff” Attack successful by exploiting the size limit on CAM tables Macof sends flood of frames with random source MAC and IP addresses Yersinia: Swiss-army knife of L2 attacks Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
CAM Overflow (2/2) Assume CAM Table Now Full MAC A B C Port 1 2 3 Y Z 3 3 MAC B Port 2 Traffic A B Port 3 Port 1 MAC A Z is on Port 3 Y is on Port 3 MAC C I See Traffic to B Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
CAM Table Full Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN This will turn a VLAN on a switch basically into a hub This attack will also fill the CAM tables of adjacent switches 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ? 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ? 10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS 10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Countermeasures for MAC Attacks Port Security Limits the Amount of MACs on an Interface 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only One MAC Addresses Allowed on the Port: Shutdown 132,000 Bogus MACs Solution Port Security limits MAC flooding attack and locks down port and sends an SNMP trap Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Port Security: Example Config Cisco Catalyst OS set port security 5/1 enable set port security 5/1 port max 10 set port security 5/1 violation {protect|restrict|shutdown} set port security 5/1 age 2 set port security 5/1 timer-type inactivity Cisco IOS interface type slot/port switchport port-security switchport port-security maximum 10 switchport port-security violation {protect|restrict|shutdown} switchport port-security aging time 2 switchport port-security aging type inactivity Max number is not to control access, it is to protect the switch from attack May shutdown port or restrict incoming frames with unknown MACs MAC entry will age out in 2 minutes of inactivity, for laptops migrating between desks 4w6d: %PM-4-ERR_DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Additional Features for Port Security Cisco IOS switchport port-security switchport port-security maximum 3 vlan voice switchport port-security maximum 10 vlan access switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity snmp-server enable traps port-security trap-rate 5 Per-VLAN per-port max MAC addresses Restrict now will let you know something has happened — you will get an SNMP trap. Rate limit SNMP traps Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Countermeasures for MAC Attacks with IP Phones Could Use Two or Three MAC Addresses Allowed on the Port: Shutdown Do not go too low with Max allowed number Some switches count CDP MAC and LLDP MAC, so Phones consume 2 MACs. This feature is to protect that switch and LAN. Make it 10, or 50, or whatever you like, as long as you don’t overrun the CAM table Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Port Security Port disabled by Port Security can be automatically recovered. Minimizes admin overhead. Notification is sent, so incident is logged “Sticky Port Security”, learned MACs will be saved to NVRAM. May be good for static environments and with minimum “max MAC count” configured SW(Config)# errdisable recovery cause psecure-violation SW(Config)# errdisable recovery interval seconds SW(Config)# switchport port-security mac-address sticky SW# write memory Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Building the Layers Port Security prevents CAM attacks (and some DHCP starvation attacks) Port Security Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda Layer 2 Attack Landscape Attacks and Countermeasures ‒MAC Attacks ‒VLAN Hopping ‒DHCP Attacks ‒ARP Attacks ‒Private VLANs ‒Spoofing Attacks ‒General Attacks Summary Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
VLAN Hopping At least 2 options: 1. Attacker can negotiate trunk port with Access Switch, if DTP is left turned on 2. 802.1q Double Tagging Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Dynamic Trunk Protocol (DTP) DTP negotiates trunks between switches If DTP is left on access port, then attacker can form a trunk with a switch Trunk has access to all VLANs by default IP Phone does NOT need DTP. It is happy with CDP or LLDP carrying VVID, then it starts sending Voice with 802.1q tag. Disable DTP on access ports SW(config-if)# switchport nonegotiate Dynamic Trunk Protocol Access to all VLANs Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Double 802.1Q Encapsulation VLAN Hopping Attack src mac dst mac 8100 0800 5 8100 96 1st tag data 2nd tag 802.1q Frame Strip off first, and send out the rest (with another tag remaining) Attackers Sends 802.1Q double encapsulated frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off Only works if trunk native VLAN has the same VLAN as the attacker Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Voice VLAN Access VLAN 10, tagged VLAN 20, no tag VLAN 20 Normal VLAN operation ‒VLAN 20 is native to the PC and is not tagged ‒VLAN 10 is the voice VLAN, and is tagged with 10 Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Voice VLAN Access: Attack Attacker Sends VLAN 10 Frames VLAN 10 Has PC Traffic VLAN 20 VLAN 10 Attacking voice VLAN ‒Attacker sends 802.1Q tagged frames from the PC to the phone ‒Traffic from the PC is now in the voice VLAN Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
IP Phones VLAN Security Configurable Options Block voice VLAN from PC port Ignore Gratuitous ARPs (GARPs) Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
IP Phone PC Voice VLAN Access Setting Attacker Sends VLAN 10 Frames VLAN 10 VLAN 20 Preventing voice VLAN attacks ‒Enable settings for blocking PC voice VLAN access ‒Tagged traffic will be stopped at the PC port on the phone Differences between phone model implementations ‒ Newer phones only block voice VLAN, allowing PC to run 802.1Q on any other VLAN ‒ All phones that run JAVA block all packets containing an 802.1Q header ‒ Low end phones don’t block anything Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Security Best Practices for VLANs and Trunking Always use a dedicated VLAN ID for trunk ports native VLAN Tag even native VLAN on trunks, “vlan dot1q tag native” Do not use VLAN 1 for anything Disable DTP (auto-trunking) on user facing ports Explicitly configure trunking on infrastructure ports Disable “PC voice VLAN access” on phones that support it Disable unused ports and put them in an unused VLAN Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Quiz Scientists believe that Earth has been formed ~4.6 B years ago. Only a few places on Earth are known to still have that ancient crust exposed. The oldest dated rock on Earth (~4.4 billion years) has been found in … Western Australia, Jack Hills ~700 km North of Perth Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda Layer 2 Attack Landscape Attacks and Countermeasures ‒VLAN Hopping ‒MAC Attacks ‒DHCP Attacks ‒ARP Attacks ‒Private VLANs ‒Spoofing Attacks ‒General Attacks Summary Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Function: High Level DHCP Server Client Send My Configuration Information IP Address: 10.10.10.101 Subnet Mask: 255.255.255.0 Default Routers: 10.10.10.1 DNS Servers: 192.168.10.4, 192.168.10.5 Lease Time: 10 days Here Is Your Configuration Server dynamically assigns IP address on demand Administrator creates pools of addresses available for assignment Address is assigned with lease time DHCP delivers other configuration information in options Similar functionality in IPv6 for DHCP Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Function: Lower Level DHCP Server Client DHCP Discover (Broadcast) DHCP Offer (Unicast) DHCP Request (Broadcast) DHCP Ack (Unicast) DHCP defined by RFC 2131 Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Attack Types DHCP Starvation Attack Client DHCP Server Gobbler DHCP Discovery (Broadcast) x (Size of Scope) DHCP Offer (Unicast) x (Size of Scope) DHCP Request (Broadcast) x (Size of Scope) DHCP Ack (Unicast) x (Size of Scope) Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope This is a Denial of Service DoS attack using DHCP leases Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security DHCP Server Client Gobbler Cisco Catalyst OS set port security 5/1 enable set port security 5/1 port max 10 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timer-type inactivity Cisco IOS switchport port-security switchport port-security maximum 10 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity Gobbler uses a new MAC address to request a new DHCP lease Restrict the number of MAC addresses on a port Will not be able to lease more IP address then MAC addresses allowed on the port In the example the attacker would get one IP address from the DHCP server Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Attack Types Rogue DHCP Server Attack DHCP Server Client Rogue Server DHCP Discovery (Broadcast) DHCP Offer (Unicast) from Rogue Server DHCP Request (Broadcast) DHCP Ack (Unicast) from Rogue Server Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Attack Types Rogue DHCP Server Attack What can the attacker do if he is the DHCP server? IP Address: 10.10.10.101 Subnet Mask: 255.255.255.0 Default Routers: 10.10.10.10 DNS Servers: 10.10.10.10, 192.168.10.5 Lease Time: 10 days Here Is Your Configuration What do you see as a potential problem with incorrect information? Wrong default gateway—Attacker is the gateway Wrong DNS server—Attacker is DNS server Wrong IP address—Attacker does DOS with incorrect IP Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping DHCP Snooping - Enabled Client Untrusted Trusted Untrusted DHCP Server OK DHCP Responses: offer, ack, nak Rogue Server Cisco IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping DHCP Snooping Trusted Server or Uplink Interface Commands ip dhcp snooping trust BAD DHCP Responses: offer, ack, nak DHCP Snooping Untrusted Client Interface Commands no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps) By default all ports in the VLAN are untrusted Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping DHCP Snooping-Enabled Client Untrusted Trusted Untrusted DHCP Server OK DHCP Responses: offer, ack, nak Rogue Server BAD DHCP Responses: offer, ack, nak DHCP Snooping Binding Table sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 Table is built by “snooping” the DHCP reply to the client Entries stay in table until DHCP lease time expires Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Advanced Configuration DHCP Snooping DHCP binding table takes time to build after it’s turned on May take 3.5 days if DHCP lease time is 7 days Not all operating system (Linux) re DHCP on link down event Worth backing up this table on bootflash, ftp, tftp, etc. This will be important in the next section ip dhcp snooping database tftp://172.26.168.10/tftpboot/tulledge/ngcs-4500-1-dhcpdb ip dhcp snooping database write-delay 60 Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Advanced Configuration DHCP Snooping Gobbler uses a unique MAC for each DHCP request and port security prevents Gobbler What if the attack used the same interface MAC address, but changed the client hardware address in the request? Port security would not work for that attack The switches check the CHADDR field of the request to make sure it matches the hardware MAC in the DHCP snooping binding table If there is not a match, the request is dropped at the interface Hardware Type Hardware Length OP Code HOPS Transaction ID (XID) Seconds Client IP Address (CIADDR) Flags Your IP Address (YIADDR) Server IP Address (SIADDR) Gateway IP Address (GIADDR) Client Hardware Address (CHADDR)—16 Bytes Server Name (SNAME)—64 Bytes Filename—128 Bytes DHCP Options Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Summary of DHCP Attacks DHCP starvation attacks can be mitigated by port security Rogue DHCP servers can be mitigated by DHCP snooping or Private VLAN (PVLAN) features When configured with DHCP snooping, all ports in the VLAN will be “untrusted” for DHCP replies Check default settings to see if the CHADDR field is being checked during the DHCP request Unsupported switches can run ACLs for partial attack mitigation (can not check the CHADDR field) Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
DHCP Snooping Capacity All DHCP snooping binding tables have limits All entries stay in the binding table until the lease runs out If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removed sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18 Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Building the Layers Port security prevents CAM attacks and DHCP starvation attacks DHCP snooping and PVLAN prevent rogue DHCP server attacks DHCP Snooping Port Security Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
Agenda Layer 2 Attack Landscape Attacks and Countermeasures ‒VLAN Hopping ‒MAC Attacks ‒DHCP Attacks ‒ARP Attacks ‒Private VLANs ‒Spoofing Attacks ‒General Attacks Summary Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Function Review Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address ‒This ARP request is broadcast using protocol ID 0806 All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply I have 10.1.1.4 & MAC A Who has 10.1.1.4? Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Function Review According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables Anyone can claim to be the owner of any IP/MAC they like “ARP poisoning” use this to redirect traffic 10.1.1.1 has MAC A I have 10.1.1.1 MAC A 10.1.1.1 has MAC A 10.1.1.1 has MAC A Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Attack in Action 10.1.1.2 Is Now MAC C Attacker “poisons” the ARP tables 10.1.1.1 MAC A Gratuitous ARP Reply 10.1.1.2 has MAC C 10.1.1.3 MAC C Gratuitous ARP Reply 10.1.1.1 has MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC C Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Attack in Action All traffic flows through the attacker 10.1.1.2 Is Now MAC C 10.1.1.1 MAC A Receive/Transmit Victim’s traffic Sending to fake upstream GW 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC C Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Attack Clean Up Attacker corrects ARP tables entries Traffic flows return to normal 10.1.1.2 is Now MAC B 10.1.1.1 MAC A Gratuitous ARP Reply 10.1.1.2 has MAC B Gratuitous ARP Reply 10.1.1.1 has MAC A 10.1.1.3 MAC C 10.1.1.2 MAC B 10.1.1.1 Is Now MAC A Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Attack Tools Many tools on the net for ARP man-in-the-middle attacks ‒Dsniff, Cain & Abel, ettercap, Yersinia, etc. ettercap: http://ettercap.sourceforge.net/index.php ‒ Some are second or third generation of ARP attack tools ‒ Most have a very nice GUI, and is almost point and click All of them automatically capture the traffic/passwords of applications ‒ FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, etc. Can replace legitimate certificate with a bogus one to become man-in- the-middle for SSL/SSH sessions Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.
ARP Attack Tools Ettercap in action As you can see runs in Windows, Linux, Mac Decodes passwords on the fly This example, telnet username/ password is captured Cisco Public BRKSEC-2202 © 2013 Cisco and/or its affiliates. All rights reserved.