network security part ii: attacks layer 2 / 3 attacks
Post on 16-Dec-2015
245 Views
Preview:
TRANSCRIPT
Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks
Layer 2 / 3 Layer 2 / 3 AttacksAttacks
SECURITY INNOVATION ©2003
OverviewOverview
• Layer 2 attack landscapeLayer 2 attack landscape• MAC AttacksMAC Attacks• VLAN hopping attacksVLAN hopping attacks• ARP AttacksARP Attacks• Spanning Tree attacksSpanning Tree attacks• Layer 2 port authenticationLayer 2 port authentication• Other attacksOther attacks
SECURITY INNOVATION ©2003
The redundant rats nest!The redundant rats nest!The redundant rats nest!The redundant rats nest!
SECURITY INNOVATION ©2003
PreliminariesPreliminaries
• All attacks and associated mitigation techniques assume All attacks and associated mitigation techniques assume a switched Ethernet network running IPa switched Ethernet network running IP– If shared Ethernet is used (WLAN, Hub, etc.) the majority of If shared Ethernet is used (WLAN, Hub, etc.) the majority of
these attack scenarios get much easierthese attack scenarios get much easier– Obviously, if you aren't using Ethernet as your L2 protocol Obviously, if you aren't using Ethernet as your L2 protocol
some of these attacks may not be appropriate. However some of these attacks may not be appropriate. However you may be vulnerable to different ones.you may be vulnerable to different ones.
• Rapid deployment. Attacks that are theoretical can move Rapid deployment. Attacks that are theoretical can move to the practical in a matter of days and become widely to the practical in a matter of days and become widely distributed in weeks.distributed in weeks.
• Focus will be on L2 attacks and potential solutions.Focus will be on L2 attacks and potential solutions.
MAC AttacksMAC Attacks
SECURITY INNOVATION ©2003
MAC AttacksMAC Attacks
SECURITY INNOVATION ©2003
What is the CAM Table?What is the CAM Table?
• Basically a really efficient lookup tableBasically a really efficient lookup table• Present on all modern switchesPresent on all modern switches• CAM == Content Addressable MemoryCAM == Content Addressable Memory• For more information on the CAM table For more information on the CAM table
and how it is updated check out and how it is updated check out http://routergod.com/gilliananderson or http://routergod.com/gilliananderson or http://www.isdmag.com/editorial/1998/systemdesign9801.htmlhttp://www.isdmag.com/editorial/1998/systemdesign9801.html
SECURITY INNOVATION ©2003
What is the CAM Table?What is the CAM Table?• This internal table looks something like this: This internal table looks something like this:
PortPort Ethernet AddressesEthernet Addresses Host or UplinkHost or Uplink
11 01:00:af:34:53:6201:00:af:34:53:62 Single hostSingle host
22 01:e4:5f:2a:63:3501:e4:5f:2a:63:35
00:c1:24:ee:62:66 ...00:c1:24:ee:62:66 ...Switch or HubSwitch or Hub
33 11:af:5a:69:08:6311:af:5a:69:08:63
00:17:72:e1:72:70 ...00:17:72:e1:72:70 ...Switch or HubSwitch or Hub
44 00:14:62:74:23:5a00:14:62:74:23:5a Single hostSingle host
SECURITY INNOVATION ©2003
Normal CAM Behavior INormal CAM Behavior I
A A B BMAC BMAC B
MAC CMAC C
MAC AMAC APort Port
11
A A B B
B Unknown… B Unknown… Flood the Flood the
FrameFrame
I see traffic to I see traffic to B!B!
MACMAC
AA
CC
PortPort
11
33
A A B B
Port Port 33
Port Port 22
SECURITY INNOVATION ©2003
Normal CAM Behavior IINormal CAM Behavior II
MAC BMAC B
MAC CMAC C
MAC AMAC A
Port Port 22
Port Port 11
B B A A
A is on Port 1A is on Port 1
Learn:Learn:
B is on Port 2B is on Port 2
Port Port 33
MACMAC
AA
BB
CC
PortPort
11
22
33
B B A A
SECURITY INNOVATION ©2003
Normal CAM Behavior IIINormal CAM Behavior III
Port Port 22
Port Port 33
A A B BMAC BMAC B
MAC CMAC C
MAC AMAC APort Port
11
A A B B
B is on Port 2B is on Port 2
I see do I see do NotNot see traffic to B!see traffic to B!
MACMAC
AA
BB
CC
PortPort
11
22
33
SECURITY INNOVATION ©2003
CAM Overflow ICAM Overflow I
• Theoretical attack made available to Theoretical attack made available to all….all….
• macof macof tool since May 1999tool since May 1999– ““dsniff” by Dug Songdsniff” by Dug Song
• Based on CAM Tables limited sizeBased on CAM Tables limited size
SECURITY INNOVATION ©2003
CAM Overflow IICAM Overflow II
Port Port 22
Port Port 11
X is on Port 3X is on Port 3
Port Port 33
MACMAC
XX
YY
CC
PortPort
33
33
33
B B A A
X X ? ?
Y Y ? ?
Y is on Port 3Y is on Port 3
SECURITY INNOVATION ©2003
CAM Overflow IIICAM Overflow III
Port Port 22
Port Port 11
B Unknown… B Unknown… Flood the Flood the
FrameFrame
Port Port 33
MACMAC
XX
YY
CC
PortPort
33
33
33
A A B BA A
B B
A A B B
I see traffic to I see traffic to B!B!
SECURITY INNOVATION ©2003
Catalyst CAM TablesCatalyst CAM Tables
T Flooded! T Flooded!
1 A B C 1 A B C
2 D E F G2 D E F G
3 H3 H
. I. I
. J K. J K
16,000 L M N O P Q R S16,000 L M N O P Q R S
Catalyst switches use hash to place MAC in the CAM Catalyst switches use hash to place MAC in the CAM tabletable
63 bits of source (MAC, VLAN, misc) creates a 17 bit hash 63 bits of source (MAC, VLAN, misc) creates a 17 bit hash valuevalue
If the value is the same there are 8 buckets to place CAM entries, if If the value is the same there are 8 buckets to place CAM entries, if all 8 are filled the packet is floodedall 8 are filled the packet is flooded
SECURITY INNOVATION ©2003
MAC Flooding Switches MAC Flooding Switches with Macofwith Macof
SECURITY INNOVATION ©2003
CAM Table Full!CAM Table Full!
• Dsniff can generate 155,000 MAC entries on a switch per minute.Dsniff can generate 155,000 MAC entries on a switch per minute.• Assuming a perfect hash function, the CAM table will be completely Assuming a perfect hash function, the CAM table will be completely
filled after 131,052 (approx. 16,000 x 8) entriesfilled after 131,052 (approx. 16,000 x 8) entries• Once table is full, traffic without a CAM entry floods on the local Once table is full, traffic without a CAM entry floods on the local
VLAN, but NOT existing traffic with an existing CAM entry.VLAN, but NOT existing traffic with an existing CAM entry.• This attack will also fill CAM tables of adjacent switches.This attack will also fill CAM tables of adjacent switches.
Snoop output on a non-SPAN port Snoop output on a non-SPAN port 10.1.1.5010.1.1.50
SECURITY INNOVATION ©2003
MAC Flooding Attack MAC Flooding Attack MitigationMitigation
• Port SecurityPort Security– Capabilities are dependent on the platformCapabilities are dependent on the platform– Allows you to specify MAC addresses for Allows you to specify MAC addresses for
each port, or to learn a certain number of each port, or to learn a certain number of MAC addresses per portMAC addresses per port
– Upon detection of an invalid MAC the switch Upon detection of an invalid MAC the switch can be configured to block only the can be configured to block only the offending MAC or just shut down the port.offending MAC or just shut down the port.
– Port security prevents macof from flooding Port security prevents macof from flooding the CAM table.the CAM table.
VLAN Hopping AttacksVLAN Hopping Attacks
SECURITY INNOVATION ©2003
VLAN “Hopping” AttacksVLAN “Hopping” Attacks• Trunk ports have access to all VLANs by defaultTrunk ports have access to all VLANs by default• Used to route traffic for multiple VLANs across the same Used to route traffic for multiple VLANs across the same
physical linkphysical link• Encapsulation can be 802.1Q or ISLEncapsulation can be 802.1Q or ISL
Trunk Trunk PortPort
SECURITY INNOVATION ©2003
Dynamic Trunk ProtocolDynamic Trunk Protocol• What is DTP?What is DTP?
– Automates ISL/802.1Q trunk Automates ISL/802.1Q trunk configurationconfiguration
– Operates between switchesOperates between switches– Not supported on 2900XL or Not supported on 2900XL or
3500XL3500XL• DTP synchronizes the DTP synchronizes the
trunking mode on link endstrunking mode on link ends• DTP state on ISL/1Q trunking DTP state on ISL/1Q trunking
port can be set to “Auto”, port can be set to “Auto”, “On”, “Off”, “Desirable”, or “On”, “Off”, “Desirable”, or “Non-Negotiate”.“Non-Negotiate”.
Dynamic Trunk
Protocol
DST MACDST MACDST MACDST MAC 0100.0ccc.cccc0100.0ccc.cccc0100.0ccc.cccc0100.0ccc.cccc
SNAP ProtoSNAP ProtoSNAP ProtoSNAP Proto 0x20040x20040x20040x2004
SECURITY INNOVATION ©2003
Basic VLAN Hopping Basic VLAN Hopping AttackAttack
• A station can spoof as a switch with ISL or A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually 802.1Q signaling (DTP signaling is usually required as well, or a rogue DTP speaking switch)required as well, or a rogue DTP speaking switch)
• The station is then member of all VLANsThe station is then member of all VLANs• Requires a trunking favorable setting on the portRequires a trunking favorable setting on the port
Trunk Trunk PortPort
Trunk Trunk PortPort
SECURITY INNOVATION ©2003
Double Encapsulated Double Encapsulated 802.1q VLAN Hopping 802.1q VLAN Hopping
AttackAttack
• Send double encapsulated 802.1Q framesSend double encapsulated 802.1Q frames• Switch performs only one level of decapsulationSwitch performs only one level of decapsulation• Unidirectional traffic onlyUnidirectional traffic only• Works even if trunk ports are set to offWorks even if trunk ports are set to off
Strip off First, and Strip off First, and Send Back outSend Back out
Note: Only works if trunk Note: Only works if trunk has the same native VLAN has the same native VLAN
as the attackeras the attacker
802.1q, 802.1q
802.1q, Frame
Frame
SECURITY INNOVATION ©2003
Double Encap 802.1Q Double Encap 802.1Q Ethereal CaptureEthereal Capture
Outer Tag, Attacker Outer Tag, Attacker VLANVLAN
Inner Tag, Attacker Inner Tag, Attacker VLANVLAN
SECURITY INNOVATION ©2003
Disabling Auto-TrunkingDisabling Auto-Trunking
• Defaults change depending on switch; Defaults change depending on switch; always check.always check.
SECURITY INNOVATION ©2003
Security for VLANS and Security for VLANS and TrunkingTrunking
• AlwaysAlways use a dedicated VLAN ID for all use a dedicated VLAN ID for all trunk portstrunk ports
• Disable unused ports and put them in an Disable unused ports and put them in an unused VLANunused VLAN
• Be paranoid: Do not use VLAN 1 for Be paranoid: Do not use VLAN 1 for anythinganything
• Set all user ports to non-trunking (DPT Set all user ports to non-trunking (DPT Off)Off)
ARP AttacksARP Attacks
SECURITY INNOVATION ©2003
ARP RefresherARP Refresher• An ARP request An ARP request
message should be message should be placed in a frame and placed in a frame and broadcast to all broadcast to all computers on the computers on the networknetwork
• Each computer receives Each computer receives the request and the request and examines the IP addressexamines the IP address
• The computer The computer mentioned in the mentioned in the request sends a request sends a response; all other response; all other computers process and computers process and discard the request discard the request without sending a without sending a response.response.
VVVV ZZZZYYYYXXXXWWWW
VVVV ZZZZYYYYXXXXWWWW
VVVV ZZZZYYYYXXXXWWWW
SECURITY INNOVATION ©2003
Gratuitous ARPGratuitous ARP• Gratuitous ARP is used by hosts to “announce” Gratuitous ARP is used by hosts to “announce”
their IP address to the local network and avoid their IP address to the local network and avoid duplicate IP addresses on the network; routers duplicate IP addresses on the network; routers and other network hardware may use cache and other network hardware may use cache information gained from gratuitous ARPsinformation gained from gratuitous ARPs
• Gratuitous ARP is a broadcast packet (like an Gratuitous ARP is a broadcast packet (like an ARP request)ARP request)
• Host W: Hey everyone I’m host W and my IP Host W: Hey everyone I’m host W and my IP address is: 1.2.3.4 and my MAC address is address is: 1.2.3.4 and my MAC address is 12:34:56:78:9A:BC 12:34:56:78:9A:BC
VVVV ZZZZYYYYXXXXWWWW
SECURITY INNOVATION ©2003
Misuse of Gratuitous ARPMisuse of Gratuitous ARP• ARP has no security or ownership of IP or MAC addressARP has no security or ownership of IP or MAC address• What if we did the following?What if we did the following?
• Host WHost W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC• (Wait 5 seconds)(Wait 5 seconds)• Host WHost W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC
Host Host Y .2Y .2
Host Host WW .4 .4
Host Host X .3X .3
1.2.3.0/241.2.3.0/24
.1.1
SECURITY INNOVATION ©2003
Hands On ExampleHands On Example• Host X and Y will likely ignore the message unless they Host X and Y will likely ignore the message unless they
currently have an ARP table entry for 1.2.3.1currently have an ARP table entry for 1.2.3.1
• When host Y requests the MAC of 1.2.3.1 the real router When host Y requests the MAC of 1.2.3.1 the real router will reply and communications will work until host W sends will reply and communications will work until host W sends a gratuitous ARP againa gratuitous ARP again
• Even a static ARP entry for 1.2.3.1 on Y will get Even a static ARP entry for 1.2.3.1 on Y will get overwritten by the gratuitous ARP on some OSs (NT4 and overwritten by the gratuitous ARP on some OSs (NT4 and Win2k)Win2k)
Host Host Y .2Y .2
Host Host WW .4 .4
Host Host X .3X .3
1.2.3.0/241.2.3.0/24
.1.1
SECURITY INNOVATION ©2003
Dsniff Dsniff
• ARP SpoofingARP Spoofing• MAC floodingMAC flooding• Selective sniffingSelective sniffing• SSH/SSL interceptionSSH/SSL interception
SECURITY INNOVATION ©2003
Hands On - ArpspoofHands On - Arpspoof
SECURITY INNOVATION ©2003
ArpspoofArpspoof
• All traffic now flows through machine All traffic now flows through machine running dsniff in a half-duplex mannerrunning dsniff in a half-duplex manner
• Port security does not helpPort security does not help• Note that the attack could be generated Note that the attack could be generated
in the opposite direction by spoofing the in the opposite direction by spoofing the destination host when the router sends destination host when the router sends its ARP requestits ARP request
• Attack could be more selective and Attack could be more selective and spoof just one victimspoof just one victim
SECURITY INNOVATION ©2003
Selective SniffingSelective Sniffing• Once the dsniff box has started the arpspoof Once the dsniff box has started the arpspoof
process, the magic begins:process, the magic begins:
Supports more than 30 standardized/proprietary protocolsSupports more than 30 standardized/proprietary protocols• FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP,
SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, Microsoft SQLSQL*Net, Sybase, Microsoft SQL
SECURITY INNOVATION ©2003
SSL/SSH InterceptionSSL/SSH Interception
• Using dnsspoof all web sites can resolve to the Using dnsspoof all web sites can resolve to the dsniff host IP address:dsniff host IP address:
• Once that happens you can proxy all web Once that happens you can proxy all web connections through the dsniff hostconnections through the dsniff host
SECURITY INNOVATION ©2003
SSL/SSH InterceptionSSL/SSH Interception• Using dsniff (webmitm) most SSL sessions can be Using dsniff (webmitm) most SSL sessions can be
intercepted and bogus certificate credentials can intercepted and bogus certificate credentials can be presentedbe presented
SECURITY INNOVATION ©2003
SSL/SSH InterceptionSSL/SSH Interception
• Upon inspection Upon inspection they will look they will look invalid but they invalid but they would likely fool would likely fool most usersmost users
invalidinvalid
SECURITY INNOVATION ©2003
The Evolution of dsniff: The Evolution of dsniff: EttercapEttercap
• Similar to dsniff though not as many Similar to dsniff though not as many protocols supported for sniffingprotocols supported for sniffing
• Can ARP spoof both sides of a session to Can ARP spoof both sides of a session to achieve full-duplex sniffingachieve full-duplex sniffing
• Allows command insertion into Allows command insertion into persistent TCP sessionspersistent TCP sessions
• Menu driven interface Menu driven interface
SECURITY INNOVATION ©2003
It Doesn’t Get Much It Doesn’t Get Much Easier…Easier…
SECURITY INNOVATION ©2003
ARP Spoof Mitigation: ARP Spoof Mitigation: Private VLANsPrivate VLANs
• PVLANs isolate PVLANs isolate traffic in traffic in specific specific communities to communities to create distinct create distinct “networks” “networks” within a normal within a normal VLANVLAN
• Note: Most Note: Most inter-host inter-host communication communication is disabled with is disabled with PVLANS turned PVLANS turned onon
• PVLANs isolate PVLANs isolate traffic in traffic in specific specific communities to communities to create distinct create distinct “networks” “networks” within a normal within a normal VLANVLAN
• Note: Most Note: Most inter-host inter-host communication communication is disabled with is disabled with PVLANS turned PVLANS turned onon CommunitCommunit
y ‘A’y ‘A’CommunitCommunit
y ‘B’y ‘B’Isolated Isolated
PortsPorts
PromiscuouPromiscuous Ports Port
PromiscuouPromiscuous Ports PortPrimary VLANPrimary VLAN
Community VLANCommunity VLANCommunity VLANCommunity VLANIsolated VLANIsolated VLAN
Only One Subnet!Only One Subnet!
SECURITY INNOVATION ©2003
ARP Spoof MitigationARP Spoof Mitigation
• Some IDS systems will watch for an Some IDS systems will watch for an unusually high amount of ARPunusually high amount of ARP
• ARPWatch is a freely available tool that ARPWatch is a freely available tool that will track IP/MAC address pairingswill track IP/MAC address pairings
• Consider static ARP for critical routers Consider static ARP for critical routers and hosts and hosts (potential administrative pain)(potential administrative pain)
Spanning Tree AttacksSpanning Tree Attacks
SECURITY INNOVATION ©2003
Spanning Tree BasicsSpanning Tree Basics STP purpose: To maintain loop-free topologies STP purpose: To maintain loop-free topologies
in a redundant Layer 2 infrastructurein a redundant Layer 2 infrastructureA switch is A switch is
elected as Rootelected as Root Root selection is Root selection is based on the based on the lowest lowest configured configured priority of any priority of any switch 0-65535switch 0-65535
XXBB FFFF
FF FF
FF BB
RootRoot
A ‘Tree-Like’ loop-free A ‘Tree-Like’ loop-free topology is topology is
established from the established from the perspective of the perspective of the
root bridgeroot bridge
AA
STP is very simple. Messages are sent using Bridge Protocol STP is very simple. Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages include: configuration, Data Units (BPDUs). Basic messages include: configuration, topology change notification/acknowledgement (TCN/TCA); topology change notification/acknowledgement (TCN/TCA); most have no “payload”.most have no “payload”.
Avoiding loops ensures broadcast traffic does not become storms
SECURITY INNOVATION ©2003
Spanning Tree Attacks and Spanning Tree Attacks and MethodsMethods
• Standard 802.1d STP takes 30-Standard 802.1d STP takes 30-45 seconds to deal with a failure 45 seconds to deal with a failure or root bridge change (ha ha or root bridge change (ha ha ha… DoS served here)ha… DoS served here)– Generally only devices affected Generally only devices affected
by the failure notice the issueby the failure notice the issue– PortFast and UplinkFast can PortFast and UplinkFast can
greatly improve thisgreatly improve this• Sending BPDUs from the Sending BPDUs from the
attacker can force these attacker can force these changes and create a DoS changes and create a DoS condition on the networkcondition on the network
• As a link with macof: the TCN As a link with macof: the TCN message will result in the CAM message will result in the CAM table aging all entries in 15 table aging all entries in 15 seconds if they do not seconds if they do not communicate (the default is 300 communicate (the default is 300 seconds)seconds)
• Easy to create the DoS Easy to create the DoS condition. Depending on the condition. Depending on the topology it could yield additional topology it could yield additional packets for the attacker packets for the attacker
SECURITY INNOVATION ©2003
Spanning Tree Attack Spanning Tree Attack Example IExample I
• Send BPDU Send BPDU messages to messages to become root become root bridgebridge
ST
PS
TP
RootRootAccess SwitchesAccess Switches
STP STP
AttackerAttacker
FFFF
FFFF
FFFFFFFF
XXXX
FFFF
BBBB
SECURITY INNOVATION ©2003
Spanning Tree Attack Spanning Tree Attack Example IIExample II
• Send BPDU messages to Send BPDU messages to become root bridgebecome root bridge– The attacker then sees The attacker then sees
frames he shouldn’tframes he shouldn’t– MITM, DoS, etc. all possibleMITM, DoS, etc. all possible– Ant attack is very sensitive to Ant attack is very sensitive to
the original topology, the original topology, trunking, PVST, etc.trunking, PVST, etc.
• Although STP takes link speed Although STP takes link speed into consideration, it is into consideration, it is always done from the always done from the perspective of the root perspective of the root bridge. Taking a Gb backbone bridge. Taking a Gb backbone to half duplex 10 Mb has to half duplex 10 Mb has been verified.been verified.
• Requires the attacker to be Requires the attacker to be dual homed to two different dual homed to two different switches (with a hub, it can switches (with a hub, it can be done with just one be done with just one interface on the attacking interface on the attacking host)host) AttackerAttacker
FFFF
FFFF
FFFF
FFFF
FFFF
XXXXBBBB
RootRootRootRoot
Access SwitchesAccess Switches
SECURITY INNOVATION ©2003
Knowledge AppliedKnowledge Applied• Goal: See traffic on the Goal: See traffic on the
backbone but interesting backbone but interesting hosts have static ARP hosts have static ARP entries and are very chatty entries and are very chatty (macof will likely never (macof will likely never steal their CAM entry)steal their CAM entry)
• Step 1: MAC flood access Step 1: MAC flood access switchswitch
• Step 2: Run bridging Step 2: Run bridging software (i.e. brconfig) on software (i.e. brconfig) on attacking host; advertise attacking host; advertise as a priority zero bridgeas a priority zero bridge– Attacker becomes root Attacker becomes root
bridgebridge– Spanning tree recalculatesSpanning tree recalculates– GE backbone becomes FEGE backbone becomes FE– Cam table on access Cam table on access
switch is full (from macof); switch is full (from macof); there is no room at the inn there is no room at the inn for the chatty servers. for the chatty servers. Traffic is flooded.Traffic is flooded.
ST
PS
TP
AttackerAttacker
FFFF
FFFF
FFFF
FFFF
FFFF
XXXXBBBB
RootRootRootRoot
Access Access SwitchSwitch
FEFEFEFE
GEGEGEGE
FEFEFEFE
SECURITY INNOVATION ©2003
STP Attack MitigationSTP Attack Mitigation• Don’t disable STP, introducing a loop would Don’t disable STP, introducing a loop would
become another attack.become another attack.• BPDU GuardBPDU Guard
– Disables ports using portfast upon detection of a Disables ports using portfast upon detection of a BPDU message on the portBPDU message on the port
– Globally enabled on all ports running portfastGlobally enabled on all ports running portfast
• Root GuardRoot Guard– Disables ports who would become the root bridge Disables ports who would become the root bridge
due to their BPDU advertisementdue to their BPDU advertisement– Configured on a per port basisConfigured on a per port basis
SECURITY INNOVATION ©2003
VLAN Trunking Protocol VLAN Trunking Protocol (VTP)(VTP)
• Used to distribute VLAN configuration among Used to distribute VLAN configuration among switchesswitches
• VTP is used only over trunk portsVTP is used only over trunk ports• VTP can cause more problems than it solves, VTP can cause more problems than it solves,
consider if it is really neededconsider if it is really needed• If needed use the VTP MD5 digest: If needed use the VTP MD5 digest:
SECURITY INNOVATION ©2003
Potential VTP AttacksPotential VTP Attacks• After becoming a After becoming a
trunk port, an trunk port, an attacker could send attacker could send VTP messages as a VTP messages as a server with no VLANs server with no VLANs configured. All VLANs configured. All VLANs would be deleted would be deleted across the entire VTP across the entire VTP domaindomain
• Disabling VTP:Disabling VTP:
Other AttacksOther Attacks
SECURITY INNOVATION ©2003
Cisco Discovery Protocol Cisco Discovery Protocol (CDP)(CDP)
• Runs at layer 2 and Runs at layer 2 and allows Cisco devices to allows Cisco devices to chat with one anotherchat with one another
• Can be used to learn Can be used to learn sensible information sensible information about the CDP sender (IP about the CDP sender (IP address, software address, software version, router model….)version, router model….)
• CDP is in the clear and CDP is in the clear and unauthenticatedunauthenticated
• Considering disabling Considering disabling CDP, or being very CDP, or being very selective in its use in selective in its use in security sensitive security sensitive environments (backbone environments (backbone vs user port may be a vs user port may be a good distinction)good distinction)
SECURITY INNOVATION ©2003
CDP AttacksCDP Attacks
• Besides the information gathering Besides the information gathering benefit CDP offers an attacker, there benefit CDP offers an attacker, there was a vulnerability in CDP that allowed was a vulnerability in CDP that allowed Cisco devices to run out of memory and Cisco devices to run out of memory and potentially crash if you sent it tons of potentially crash if you sent it tons of bogus packets.bogus packets.
• Problem was due to a software Problem was due to a software implementation problem. A flaw in the implementation problem. A flaw in the memory allocation for the CDP process memory allocation for the CDP process (basically there was no upper limit).(basically there was no upper limit).
SECURITY INNOVATION ©2003
DHCP Starvation AttacksDHCP Starvation Attacks
• Anyplace where macof works, you can DoS a Anyplace where macof works, you can DoS a network by requesting all of the available DHCP network by requesting all of the available DHCP addressesaddresses
• With or without the DoS, an attacker could use With or without the DoS, an attacker could use a rogue DHCP server to provide addresses to a rogue DHCP server to provide addresses to clientsclients
• Since DHCP responses include DNS servers and Since DHCP responses include DNS servers and default gateway entries, guess where the default gateway entries, guess where the attacker would point these unsuspecting users?attacker would point these unsuspecting users?
• All the MITM attacks are now possibleAll the MITM attacks are now possible
SECURITY INNOVATION ©2003
Private VLAN Attacks IPrivate VLAN Attacks I
AttackerAttacker
Mac:A IP:1Mac:A IP:1
VictimVictim
Mac:B IP:2Mac:B IP:2
RouterRouter
Mac:C IP:3Mac:C IP:3
Promiscuous Promiscuous PortPort
Isolated portIsolated portS:A1 D:B2
S:A1 D:B2
XXXX
PVLANs Work Drop Packet
SECURITY INNOVATION ©2003
Private VLAN Attacks IIPrivate VLAN Attacks II
• Only allows unidirectional traffic (Victim will ARP for A and fail)Only allows unidirectional traffic (Victim will ARP for A and fail)• If both hosts were compromised, setting static ARP entries for each other If both hosts were compromised, setting static ARP entries for each other
via the router will allow bi-directional trafficvia the router will allow bi-directional traffic• Most firewalls will not forward the packet like a routerMost firewalls will not forward the packet like a router• This is not a PVLAN vulnerability as it enforces the rules!This is not a PVLAN vulnerability as it enforces the rules!
AttackerAttacker
Mac:A IP:1Mac:A IP:1
VictimVictim
Mac:B IP:2Mac:B IP:2
RouterRouter
Mac:C IP:3Mac:C IP:3
Promiscuous Promiscuous PortPort
Isolated portIsolated port
S:A1 D:B2S:A1 D:B2
S:A1 D:C2
S:A1 D:C2
S:A1 D:B2S:A1 D:B2
S:A1 D:B2S:A1 D:B2
PVLANs Work Drop Packet
Routers Route: Forward Packet
SECURITY INNOVATION ©2003
PVLAN Attack MitigationPVLAN Attack Mitigation
• Setup ACL on ingress router port:Setup ACL on ingress router port:
• All known PVLAN exploits will now failAll known PVLAN exploits will now fail• VLAN ACL could also be usedVLAN ACL could also be used
SECURITY INNOVATION ©2003
Multicast Brute-Force Multicast Brute-Force Failover AnalysisFailover Analysis
• Send random Ethernet multicast frames Send random Ethernet multicast frames to a switch interface attempting to get to a switch interface attempting to get frames to another VLANframes to another VLAN
M-cast
M-cast
Nice Try
SECURITY INNOVATION ©2003
Random Frame Stress Random Frame Stress AttackAttack
• Send random frames to a switch interface Send random frames to a switch interface attempting to get frames to another VLANattempting to get frames to another VLAN
Frame
Frame
Nice Try
SECURITY INNOVATION ©2003
Switch ManagementSwitch Management• Management can be your weakest linkManagement can be your weakest link• All the great mitigation techniques we talked All the great mitigation techniques we talked
about arent worth much if the attacker telnets about arent worth much if the attacker telnets into your switch and disables theminto your switch and disables them
• Most of the network management protocols are Most of the network management protocols are insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.)insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.)
• Consider secure variants of these protocols as Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP they become available (SSH, SCP, SSL, OTP etc.). Where impossible, consider out of band etc.). Where impossible, consider out of band management.management.
• Always use a dedicated VLAN ID for all trunksAlways use a dedicated VLAN ID for all trunks• Be paranoid: do not use VLAN 1 for anythingBe paranoid: do not use VLAN 1 for anything• Set all user ports to non trunkingSet all user ports to non trunking
SECURITY INNOVATION ©2003
Hacking CiscoHacking Cisco
Cisco Bugtraq VulnerabilitiesCisco Bugtraq Vulnerabilities
• 19981998 -- 33• 19991999 -- 55• 20002000 -- 2323• 20012001 -- 4646• 2002 (est) - 942002 (est) - 94
SECURITY INNOVATION ©2003
Hacking RoutersHacking Routers
Example Exploits:Example Exploits:•HTTP Authentication VulnerabilityHTTP Authentication Vulnerability
– using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. administrative access.
•NTP VulnerabilityNTP Vulnerability– By sending a crafted NTP control packet, it is possible to trigger a buffer By sending a crafted NTP control packet, it is possible to trigger a buffer
overflow in the NTP daemonoverflow in the NTP daemon
•SNMP Parsing VulnerabilitySNMP Parsing Vulnerability– Malformed SNMP messages received by affected systems can cause various Malformed SNMP messages received by affected systems can cause various
parsing and processing functions to fail, which results in a system crash and parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not reload. In some cases, access-list statements on the SNMP service do not protect the deviceprotect the device
SECURITY INNOVATION ©2003
Hacking RoutersHacking Routers
When a router is hacked it allows an When a router is hacked it allows an attacker toattacker to
•DoS or disable the router & network…DoS or disable the router & network…•Compromise other routers… Compromise other routers… •Bypass firewalls, IDS systems, etc…Bypass firewalls, IDS systems, etc…•Monitor and record all outgoing an Monitor and record all outgoing an
incoming traffic…incoming traffic…•Redirect whatever traffic they desire…Redirect whatever traffic they desire…
top related