Exploiting the Bridging Table MAC Flooding Attacks

Virtually all LAN switches on the market come with a finite-size bridging table. Because each entry occupies a certain amount of memory, it is practically impossible to design a switch with infinite capacity. This information is crucial to a LAN hacker. High-end LAN switches can store hundreds of thousands of entries, while entry-level products peak at a few hundred. Table 2-1 recaps the actual table sizes for various Cisco LAN switches. Table 2-1 Cisco Switches' Bridging Table Capacities Up to...

Unknown Unicast Flooding Protection

Some switches ship with a mechanism that can protect an entire VLAN from unicast flooding's negative effects. This mechanism is known as unicast flood protection. As already shown, when no entry corresponds to a frame's destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports within the respective VLAN, which causes flooding. Limited flooding is part of the normal switching process, but continuous flooding causes adverse performance effects on the network. The...

Diving Deep into VRRP

This section provides more detailed information on VRRP, as described in RFC 23381 and RFC 37682. VRRP runs on top of IP using Protocol 112. Packets are sent to multicast address 224.0.0.18 with TTL 255. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address. NOTE A lot of information about VRRP exists on the web and in books, as described in RFC 2338 and RFC 3768. Only the master router sends periodic VRRP messages by using the virtual MAC...

Attack 2 DoS Using a Flood of Config BPDUs

Attack number 2 in Yersinia (sending conf BPDUs) is extremely potent. With the cursors GUI enabled, Yersinia generated roughly 25,000 BPDUs per second on our test machine (Intel Pentium 4 machine running Linux 2.4-20.8). This seemingly low number is more than sufficient to bring a Catalyst 6500 Supervisor Engine 720 running 12.2(18)SXF down to its knees, with 99 percent CPU utilization on the switch processor 6K-3-S720 remote command switch show proc cpu incl second CPU utilization for five...

IEEE 8021Q Overview

What is a VLAN The answer is simple It is a broadcast domain. In other words, a VLAN defines how far a broadcast packet can radiate. Assuming no routing is involved, traffic entering a physical LAN switch port configured to be part of a given VLAN is constrained to other ports that are also members of that VLAN. VLANs offer a practical and easy way to implement network segmentation at Layer 2 of the Open Systems Interconnection (OSI) model. A VLAN is primarily identified by a user-defined...

Racl Vacl and PACL Many Types of ACLs

ACLs found on Ethernet switches often come in many shapes and forms, mostly because of the differences in hardware and software architectures on those platforms, but also because the functionality provided by ACLs has evolved over time. You are likely to come across three types of ACLs on an Ethernet switch Router ACL (RACL). An IP-based ACL that is applied to a routed interface. It is the most common type of ACL. The ACL used in Example 16-1 is a RACL. VLAN ACL (VACL). Applies to traffic...

References

800ae96b.shtml. guide_chapter09186a0080160a5e.html. 6a0080094797.shtml. BH_EU_05_Berrueta_Andres.pdf. Perform a Google search on VLAN hopping, and you are presented with about 12,000 hits. This clearly indicates that VLAN security has been, and continues to be, at the center of many discussions and debates in LAN security circles. With the amount of information publicly available on the subject coming in variable quality, it can be difficult to separate truth from myth. This chapter settles...

Management Plane Attacks

Attacking the management plane to gain control of a switch results in an attacker's being able to gain control of the switch. He then can shut down interfaces, change the forwarding of traffic within the network, and cause all kinds of other problems. However, if the switch's management plane is correctly secured, an attacker should never be able to gain access to the device. Use out-of-band management (dedicated hardware interfaces for management plane traffic), if possible. Only allow...

Mitigating Attacks Using CoPP

To demonstrate how CoPP can mitigate attacks, numerous Linux-based security analysis tools simulated attacks against two different switching platforms, a Cisco Catalyst 6500 switch and a Cisco ME3400 Series switch Cisco Catalyst 6500 switch with the Sup720 Supervisor engine. This high-end platform offers hardware and software-based CoPP using a distributed switching architecture. Cisco ME3400 Series switches. This access switch is designed for the Metro Ethernet market and implements control...

Integration Value Add of 8021X

Data traffic originating from an end station is disallowed until 802.1X completes. A LAN segment, as previously shown, is comprised of exactly two ports. An authenticator can monitor an operational state and detect the presence of an active device at the remote end of the link or when an active device becomes inactive. Along with link state, these events trigger changes in the authorization state of the switch port. This process is a default condition, and it is demonstrated through port...

Configuring Hardware Based CoPP on the Catalyst 6500

The Cisco Catalyst 6500 switch with the Sup720 Sup32 supervisor engines offers predefined hardware rate limiters and supports hardware-based CoPP in conjunction with software-based CoPP. Hardware-based CoPP is implemented on the supervisor line card and on line cards that support distributed forwarding. When a packet is destined for the control plane, it is first checked against the hardware rate limiters. If it matches one of those, it is limited to the configured rate, and hardware-based CoPP...

Attack 4 Simulating a Dual Homed Switch

Yersinia can take advantage of computers equipped with two Ethernet cards to masquerade as a dual-homed switch. This capability introduces an interesting traffic-redirection attack, as Figure 3-7 shows. Figure 3-7 Simulating a Dual-Homed Switch Figure 3-7 Simulating a Dual-Homed Switch In Figure 3-7, a hacker connects to switches 1 and 4. It then takes root ownership, creating a new topology that forces all traffic to cross it. The intruder could even force switches 1 and 4 to negotiate the...

Net Flow as a Security Tool

Information is power, and NetFlow is a wonderful telemetry system embedded deep in the network's core. Each flow is accounted therefore, if unusual behavior occurs in the network, NetFlow collects and reports this change. This abnormal activity could be A DoS attack. Where many flows are being targeted to one destination IP address and probably one destination Layer 4 port, such as SYN flooding. An active worm. Propagates in your network by aggressively scanning your network this causes many...

Leveraging DHCP Weaknesses

DHCP is a common and useful LAN protocol. It is rare to come across a networked device today that doesn't support it. Printers, IP phones, laptops, and routers can all acquire an IP address dynamically using DHCP and they often do. DHCP has become a de facto building block of many modern LANs. Just like several protocol implementations covered in this book, DHCP wasn't built with security in mind. Hackers know that and, naturally, some tools have surfaced to take advantage of DHCP's weaknesses....

Telnet Flooding with CoPP

Numerous alternatives exist to protect against attacks on the management plane. One option is to ensure that only traffic from prevalidated IP addresses is allowed (only allow packets from the management network). A second option is to implement a CoPP policy to protect the services on the management plane. In this example, a simple CoPP policy is created to protect Telnet (TCP port 23) and SSH (TCP port 22). First, create an access list that specifies the traffic we want to inspect access-list...

Protecting the Infrastructure Using ACLs

In an effort to protect switches and routers from various risks both accidental and malicious infrastructure-protection ACLs need to be deployed at network ingress points. These ACLs deny access from external sources to all infrastructure addresses, such as router interfaces. At the same time, these ACLs permit legitimate transit traffic to flow uninterrupted through the infrastructure. A common set of ACLs consists of filtering addresses that have no business entering the network. Those are,...

Stateless Configuration with Router Advertisement

IPv6 has a stateless configuration mode to make the end node's configuration easier (especially with mobile nodes). It's called stateless because it does not act like DHCP, where there's an actual four-step protocol exchange between the DHCP client and the DHCP server. DHCP consists of four different steps as described in Chapter 5 Step 1 The end node sends a broadcast DHCP DISCOVER message and hopes to reach at least one DHCP server. Step 2 All DHCP servers reply with a DHCP OFFER message to...

Hardware Rate Limiters

The hardware rate limiters are primarily used to control traffic where an ACL cannot be used. Examples of this are IP options, Time to Live (TTL), and maximum transmission unit (MTU) failures, and other special cases. It is possible to specify up to 32 different rate limiters, but some of them share one of the physical rate limiters. Ten physical rate limiters are available, 2* Layer 2 and 8* General Unicast Multicast . To see which hardware rate limiters are active, use the command shown in...

CDP Flooding

For this lab, you flood the switch using fake CDP announcements that the Yersinia3 tool generates. The default configuration of the switch assigns the UNI role to all edge ports. This should result in dropping all CDP packets arriving from a user port. After a while, check the CPU load of the switch CPU utilization for five seconds 5 0 one minute 4 five minutes 8 This output shows that the switch is not affected because it ignores the CDP packets. It drops them in hardware with no impact on the...

DHCP Snooping Against Ipmac Spoofing Attacks

A switch can use the DHCP snooping bindings to prevent IP and MAC address spoofing attacks. MAC spoofing attacks, as Figure 5-7 shows, consist in malicious clients generating traffic by using MAC addresses that do not belong to them. The motivation behind a MAC spoofing attack is the potential ability to gain network access when access control is based on MAC information, for example. Received Traffic Source Address 10.1.1.3 MAC B Attacker Sends Packets with Spoofed Source MAC Address If...

Forcing an Excessive Flooding Condition

If a switch does not have an entry pointing to a destination MAC address, it floods the frame. What happens when a switch does not have room to store a new MAC address And what happens if an entry that was there 2 seconds ago was just overwritten by another entry These questions are probably what Ian Vitek must have asked himself back in 1999 when he wrote a little tool called macof (later ported to C by Dug Song).2 How switches behave when their bridging table is full depends on the vendor....

Securing Networks with RMON

Remote Monitoring (RMON) is a specific SNMP Management Information Base (MIB) for remote monitoring and management of network equipment. MIB is standardized at the IETF as RFC 20216 and RFC 28197. It transforms every RMON-capable network device into a remote protocol analyzer. Different pieces of information can be collected Host. Related to each host discovered in the network by keeping MAC addresses captured in promiscuous mode. Matrix. Used for conversations between sets of two addresses....

Detecting DoS with Net Flow

NetFlow1 is a well-known telemetry technology that has been around for more than ten years. (It first appeared in 1996.) NOTE This section introduces the NetFlow technology. If you're already familiar with this technology, move on to the section, NetFlow as a Security Tool. You can use NetFlow in a wide range of routers and on some high-end switches, such as the Catalyst 6500, Cisco 7600, Catalyst 4500 with Sup V, and with the help of a daughter card on Catalyst 4500 with Sup IV. An IP flow is...

Introducing the macof Tool

Today, various tools can perform MAC flooding attacks. These tools include Ettercap3, Yersinia4, THC Parasite5, and macof. Macof is efficient and extremely simple to use. Example 2-1 presents its manual page. macof - flood a switched LAN with random MAC addresses SYNOPSIS macof -i interface -s src -d dst -e tha -x sport -y dport -n times macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of...

Using Strong Authentication

The easiest way to partly mitigate an HSRP attack is to use strong authentication. Cisco routers and switches running 12.3(2)T and above can use a message digest algorithm 5 (MD5) Hash Message Authentication Code (HMAC) to authenticate all HSRP packets without ever sending the key in the clear. Example 9-1 shows the syntax when you use a chain of preshared keys Each key has a send lifetime (when this key sends HSRP messages) and an accept lifetime (when this key checks the validity of received...

Attack 1 Taking Over the Root Bridge

Taking over a root bridge is probably one of the most disruptive attacks. By default, a LAN switch takes any BPDU sent from Yersinia at face value. Keep in mind that STP is trustful, stateless, and does not provide a solid authentication mechanism. The default STP bridge priority is 32768. Once in root attack mode, Yersinia sends a BPDU every 2 sec with the same priority as the current root bridge, but with a slightly numerically lower MAC address, which ensures it a victory in the root-bridge...

Configuring Control Plane Security on the Cisco ME3400

The Cisco ME3400 acts as an access switch for the Metro Ethernet environment where users are connected to the normal switch ports, and the uplink ports connect the switch to the Metro Ethernet backbone infrastructure. In this type of environment, users cannot be trusted, and direct traffic between user switch ports should not be allowed in most cases. To secure the switch in this type of environment, it's important to understand the concepts of User-Network Interface (UNI) and Network Node...

DHCP Message Validation

For messages received on trusted ports, no validation is performed. For messages received on untrusted ports, the following steps are taken 1 DHCP messages normally exchanged from a DHCP server to a client are dropped. These messages are DHCPOFFER, DHCPACK, and DHCPNAK. 2 DHCP messages with a nonzero relay agent gateway IP address (also called giaddr field) or Option 82 data are dropped. 3 DHCPRELEASE DHCPDECLINE messages are verified against the binding-table entries to prevent a host from...

Elements of an ARP Spoofing Attack

An attack consists of sending fake unsolicited ARP replies to host A, as Figure 6-4 shows. The attacker, host C, sends this gratuitous ARP without any MAC spoofing to host A. The content contains a new but incorrect mapping of host B's IP address to the MAC address of host C (the attacker). MAC 0666 -> CAFE 10.0.0.2 is at 0666 MAC 0666 -> CAFE 10.0.0.2 is at 0666 Host C IP 10.0.0.3 MAC 0000.0666.0000 Upon receipt of the faked gratuitous ARP reply, host A updates its ARP table with the new...

MAB Operation

As indicated in preceding sections for 802.1X deployments, only EAPOL control frames are typically processed by switch ports while 802.1X is maintained in an operating and active state. However, this also means that MAC addresses from any edge device might not be known until EAPOL frames are processed from it. These are the security benefits of 802.1X, and they do not change in any way with respect to any MAB implementation. Because it is noteworthy to this discussion, spanning tree is not even...

CDP Risk Analysis

The most obvious risk associated with CDP is the information leak that is, an attacker learns a lot by listening to CDP. This attack is purely passive there is no way to detect this information leak, and it causes no damage to the network. Many sniffing tools have the ability to decode CDP, such as Yersinia1 (shown in Figure 11-2), but there are also generic sniffers, such as Ethereal. Figure 11-2 CDP Packet Decode by Yersinia Figure 11-2 CDP Packet Decode by Yersinia After a maximum of 60...

Configuring Software Based CoPP

Creating a CoPP policy requires a good understanding of which control plane and management plane protocols and services are in use. In addition, you must understand the packet rate that those protocols and services require. Too low a value for a rate limit can cause problems with passing normal traffic, and too high a value can allow attacks to slip through. The recommended method to develop a good CoPP policy is to separate the different protocols and services into groups based on relative...

Disabling STP

As shown in Chapter 3, Attacking the Spanning Tree Protocol, STP can and should be disabled on an access port because an end host (workstation, printer, and so on) never sends IEEE 802.1d or 802.1w bridge protocol data units (BPDU). This can be done with the help of BPDU-guard IOS(config) interface FastEthernet 0 0 IOS(config-if) spanning-tree bpduguard enable CatOS> (enable) set spantree bpdu-guard 2 47 enable Spantree port 2 47 bpdu guard enabled. Chapter 3 demonstrated that a DoS attack...

Disabling Other Control Plane Activities

Obviously some control plane activities cannot be disabled, even for access ports (for example, ICMP message generation, IEEE 802.1X, CDP, and IPv6 forwarding). ICMP unreachable messages are generated by the central processor and can lead to a DoS attack if the central processor spends its time just doing ICMP generation. This notably includes the following Administratively prohibited. Occurs when an ACL drops a packet. TTL expired. Occurs when an IP packet with Time to Live (TTL) equal to 0 or...

Attack of the 8021Q Tag Stack

Port Security Cisco

Nothing in the 802.1Q specification forbids multiple consecutive tags to be chained, thereby achieving a 802.1Q tag stack. Figure 4-3 represents a two-level 802.1Q tag stack. Double 802.1Q Stack 4 Bytes 4 Bytes Double 802.1Q Stack 4 Bytes 4 Bytes Source MAC Dot 1Q Dot 1Q EtherType 1 Ethernet Frame with Two 802.1Q Tags (Not to scale) Ethernet Frame with Two 802.1Q Tags (Not to scale) There are legitimate use cases for stacking multiple 802.1Q tags. One of them is Cisco QinQ, where up to 4096...

Dynamic ARP Inspection

Chapter 5, Leveraging DHCP Weaknesses, explained that Layer 3 switches can inspect DHCP traffic to prevent attacks against the DHCP. DHCP snooping also means that the switch now knows the < IP, MAC> mapping for all hosts using DHCP. With this correct mapping knowledge, the switch can inspect all ARP traffic and check whether the information inside the ARP replies is valid if it's not, the switch simply drops the ARP packet. This technique is called Dynamic ARP Inspection (DAI). NOTE DAI...

TTL Expiry Attack

When a packet expires on a routing platform because its TTL reaches 0, it is required to send an ICMP TTL Exceeded message back to the sender (RFC 17162). This functionality can, however, be misused. If an attacker sends a flood of packets with the TTL value set such that the packets expire on the switch, the switch is forced to generate a large amount of ICMP TTL Exceeded messages. This causes a high CPU load. Regarding TTL expiry attacks, what is really troubling is that an attacker can be...

Crafting a DTP Attack

Its purpose is to determine whether two switches that are connected want to create a trunk. In the event that both switches seem to agree, a trunk is automatically brought up with a range of mutually acceptable parameters, such as encapsulation and the VLAN range. NOTE Ample DTP literature3 is available in other publications, and it's beyond this book's scope to cover all configuration aspects or enumerate matrices of possible DTP combinations. As a quick...

CDP Flooding with L2TP Tunneling

In some cases, it is required to bridge a port on one switch to a port on a different switch, making the end-user equipment unaware that an underlying network connects the two switches. This, however, requires that control packets, such as CDP, STP, VTP, and others, tunnel through the network using Layer 2 Tunneling Protocol (L2TP). What happens if you flood the switch while it is configured in this way By default, when a UNI port is configured for L2TP tunneling, the switch assigns a rate...