Preventing Layer 2 Attacks: MAC Address Flooding and DHCP Snooping, Exercises of Logic

Download Preventing Layer 2 Attacks: MAC Address Flooding and DHCP Snooping and more Exercises Logic in PDF only on Docsity!

Attacks and Mitigation Techniques

• Common security solutions using routers, Firewalls, Intrusion Prevention Systems (IPSs), and VPN devices protect Layer 3 up through Layer 7.
• Layer 2 must also be protected.
• Common Layer 2 attacks include :
  • MAC Address Table Flooding Attack
  • DHCP Attacks
  • CDP Reconnaissance Attack
  • Telnet Attacks
  • VLAN Attacks

Common LAN Attacks

Source : http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_ Security_and_Monitoring.pdf. https://drive.google.com/drive/folders/1aXNR1Zfr dZcZOTVPoiVaWYOnlgqaZt

MAC Address Flooding Attack/

Content Addressable Memory (CAM) Table Flooding Attack

• It is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address.
• In a typical MAC flooding Attack, a switch is fed many Ethernet frames , each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC Address Table.
• After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally.

MAC Address Review

1234.5678.9ABC

0000.0cXX.XXXX First 24 bits = Manufacture Code Assigned by IEEE XXXX.XX00. Second 24 bits = Specific Interface, Assigned by Manufacture FFFF.FFFF.FFFF All F’s = Broadcast 48 Bit Hexadecimal (Base16) Unique Layer Two Address

• The CAM Table stores information such as MAC addresses available on physical ports with their associated VLAN parameters.
• CAM Tables have a fixed size.

Content Addressable Memory (CAM) Table Review

Source: https://meetings.apnic.net/29/pdf/Layer- 2 - Attacks-and-Mitigation-Techniques-Tutorial_Yusuf-Bhaiji.pdf

CAM Table Attack

Intruder runs macof to begin sending bogus MAC addresses. MAC UMAC VMAC XMAC TMAC SMAC YMAC Z Bogus MAC addresses are added to the CAM table which eventually becomes full. Port MAC VLAN Fa0/25 T^1 Fa0/25 U 1 Fa0/25 V 1 Fa0/25 X 1 Fa0/25 Y^1 Fa0/25 Z^1 Fa0/25 … 1 Legitimate frames going to server 2 and 4 are now flooded out all ports including Fa 0 / 25. Flood The intruder now sees frames intended for server 2 and 4. Macof can flood a switch with up to 8 , 000 bogus frames per second; creating a CAM table overflow attack in a matter of a few seconds. Solution: Port Security Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt

• Common LAN switch attack is the MAC Address Table Flooding attack.
  • An attacker sends fake source MAC addresses until the switch MAC Address Table is full and the switch is overwhelmed.
  • Switch is then in Fail-Ope n mode and broadcasts all frames, allowing the attacker to capture those frames.
• Configure Port Security to mitigate these attacks.

MAC Address Table

Flooding Attack

Source : http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf

How to launch MAC Address Flooding Attack/

Content Addressable Memory (CAM) Table Flooding Attack?

MAC Address Flooding Attack with macof

• Macof sends random source MAC and IP addresses
• macof (part of dsniff) — http://monkey.org/~dugsong/dsniff/
• Syntax: macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
  • i interface Specify the interface to send on.
  • s src Specify source IP address.
  • d dst Specify destination IP address.
  • e Specify target hardware address.
  • x sport Specify TCP source port.
  • y dport Specify TCP destination port.
  • n times Specify the number of packets to send. Source: https://kalilinuxtutorials.com/macof/

• Example-1 : macof - i etho - n
• Example-2 : macof - i etho - n 30 – d 10.100.55.

• DHCP Spoofing Attack - An attacker configures a fake DHCP server on the network to issue IP addresses to clients.
• DHCP Starvation Attack - An attacker floods the DHCP server with bogus DHCP requests and leases all of the available IP addresses. This results in a Denial of Service (DoS) attack as new clients cannot obtain an IP address.
• Methods to mitigate DHCP attacks:
  • Configure DHCP snooping
  • Configure port security

DHCP Attacks

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf

DHCP is a Network Protocol used to Automatically assign IP Information

DHCPREQUEST Broadcast DHCPDISCOVER Broadcast DHCPOFFER Unicast DHCPACK Unicast IP address: 192.168.10. Subnet mask: 255.255.255. Default Gateway: 192.168.10. Lease time: 3 days Two types of DHCP attacks are:

• DHCP spoofing : A fake DHCP server is placed in the network to issue DHCP addresses to clients.
• DHCP starvation : Attack denies service to the legitimate DHCP server. Source : https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt

Rogue DHCP Server

DHCP Spoofing Attack

DHCP Server Attacker Connects Rogue DHCP Server DHCP Client Client Broadcasts DHCP Discovery Messages DHCP Discover DHCP Discover DHCP Discover DHCP Discover DHCP Discover DHCP Discover Source : https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt

Rogue DHCP Server

DHCP Spoofing Attack Contd.

DHCP Client DHCP Server Client Accepts Rogue DHCP Offer DHCP Request DHCP Request Request DHCP DHCP Request DHCP Request DHCP Request Source : https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt

Rogue DHCP Server

DHCP Spoofing Attack Contd.

DHCP Client DHCP Server DHCP Ack DHCP Ack DHCP Ack

• This creates a “man-in-the-middle” attack and can go entirely undetected as the intruder intercepts the data flow through the network. Rogue Acknowledges Source : https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt