network security part ii: attacks layer 2 / 3 attacks

Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks

Layer 2 / 3 Layer 2 / 3 AttacksAttacks

SECURITY INNOVATION ©2003

OverviewOverview

• Layer 2 attack landscapeLayer 2 attack landscape• MAC AttacksMAC Attacks• VLAN hopping attacksVLAN hopping attacks• ARP AttacksARP Attacks• Spanning Tree attacksSpanning Tree attacks• Layer 2 port authenticationLayer 2 port authentication• Other attacksOther attacks


The redundant rats nest!The redundant rats nest!The redundant rats nest!The redundant rats nest!


PreliminariesPreliminaries

• All attacks and associated mitigation techniques assume All attacks and associated mitigation techniques assume a switched Ethernet network running IPa switched Ethernet network running IP– If shared Ethernet is used (WLAN, Hub, etc.) the majority of If shared Ethernet is used (WLAN, Hub, etc.) the majority of

these attack scenarios get much easierthese attack scenarios get much easier– Obviously, if you aren't using Ethernet as your L2 protocol Obviously, if you aren't using Ethernet as your L2 protocol

some of these attacks may not be appropriate. However some of these attacks may not be appropriate. However you may be vulnerable to different ones.you may be vulnerable to different ones.

• Rapid deployment. Attacks that are theoretical can move Rapid deployment. Attacks that are theoretical can move to the practical in a matter of days and become widely to the practical in a matter of days and become widely distributed in weeks.distributed in weeks.

• Focus will be on L2 attacks and potential solutions.Focus will be on L2 attacks and potential solutions.

MAC AttacksMAC Attacks


What is the CAM Table?What is the CAM Table?

• Basically a really efficient lookup tableBasically a really efficient lookup table• Present on all modern switchesPresent on all modern switches• CAM == Content Addressable MemoryCAM == Content Addressable Memory• For more information on the CAM table For more information on the CAM table

and how it is updated check out and how it is updated check out http://routergod.com/gilliananderson or http://routergod.com/gilliananderson or http://www.isdmag.com/editorial/1998/systemdesign9801.htmlhttp://www.isdmag.com/editorial/1998/systemdesign9801.html


What is the CAM Table?What is the CAM Table?• This internal table looks something like this: This internal table looks something like this:

PortPort Ethernet AddressesEthernet Addresses Host or UplinkHost or Uplink

11 01:00:af:34:53:6201:00:af:34:53:62 Single hostSingle host

22 01:e4:5f:2a:63:3501:e4:5f:2a:63:35

00:c1:24:ee:62:66 ...00:c1:24:ee:62:66 ...Switch or HubSwitch or Hub

33 11:af:5a:69:08:6311:af:5a:69:08:63

00:17:72:e1:72:70 ...00:17:72:e1:72:70 ...Switch or HubSwitch or Hub

44 00:14:62:74:23:5a00:14:62:74:23:5a Single hostSingle host


Normal CAM Behavior INormal CAM Behavior I

A A B BMAC BMAC B

MAC CMAC C

MAC AMAC APort Port

11

A A B B

B Unknown… B Unknown… Flood the Flood the

FrameFrame

I see traffic to I see traffic to B!B!

MACMAC

AA

CC

PortPort

11

33

A A B B

Port Port 33

Port Port 22


Normal CAM Behavior IINormal CAM Behavior II

MAC BMAC B

MAC CMAC C

MAC AMAC A

Port Port 22

Port Port 11

B B A A

A is on Port 1A is on Port 1

Learn:Learn:

B is on Port 2B is on Port 2

Port Port 33

MACMAC

AA

BB

CC

PortPort

11

22

33

B B A A


Normal CAM Behavior IIINormal CAM Behavior III

Port Port 22

Port Port 33

A A B BMAC BMAC B

MAC CMAC C

MAC AMAC APort Port

11

A A B B

B is on Port 2B is on Port 2

I see do I see do NotNot see traffic to B!see traffic to B!

MACMAC

AA

BB

CC

PortPort

11

22

33


CAM Overflow ICAM Overflow I

• Theoretical attack made available to Theoretical attack made available to all….all….

• macof macof tool since May 1999tool since May 1999– ““dsniff” by Dug Songdsniff” by Dug Song

• Based on CAM Tables limited sizeBased on CAM Tables limited size


CAM Overflow IICAM Overflow II

Port Port 22

Port Port 11

X is on Port 3X is on Port 3

Port Port 33

MACMAC

XX

YY

CC

PortPort

33

33

33

B B A A

X X ? ?

Y Y ? ?

Y is on Port 3Y is on Port 3


CAM Overflow IIICAM Overflow III

Port Port 22

Port Port 11

B Unknown… B Unknown… Flood the Flood the

FrameFrame

Port Port 33

MACMAC

XX

YY

CC

PortPort

33

33

33

A A B BA A

B B

A A B B

I see traffic to I see traffic to B!B!


Catalyst CAM TablesCatalyst CAM Tables

T Flooded! T Flooded!

1 A B C 1 A B C

2 D E F G2 D E F G

3 H3 H

. I. I

. J K. J K

16,000 L M N O P Q R S16,000 L M N O P Q R S

Catalyst switches use hash to place MAC in the CAM Catalyst switches use hash to place MAC in the CAM tabletable

63 bits of source (MAC, VLAN, misc) creates a 17 bit hash 63 bits of source (MAC, VLAN, misc) creates a 17 bit hash valuevalue

If the value is the same there are 8 buckets to place CAM entries, if If the value is the same there are 8 buckets to place CAM entries, if all 8 are filled the packet is floodedall 8 are filled the packet is flooded


MAC Flooding Switches MAC Flooding Switches with Macofwith Macof


CAM Table Full!CAM Table Full!

• Dsniff can generate 155,000 MAC entries on a switch per minute.Dsniff can generate 155,000 MAC entries on a switch per minute.• Assuming a perfect hash function, the CAM table will be completely Assuming a perfect hash function, the CAM table will be completely

filled after 131,052 (approx. 16,000 x 8) entriesfilled after 131,052 (approx. 16,000 x 8) entries• Once table is full, traffic without a CAM entry floods on the local Once table is full, traffic without a CAM entry floods on the local

VLAN, but NOT existing traffic with an existing CAM entry.VLAN, but NOT existing traffic with an existing CAM entry.• This attack will also fill CAM tables of adjacent switches.This attack will also fill CAM tables of adjacent switches.

Snoop output on a non-SPAN port Snoop output on a non-SPAN port 10.1.1.5010.1.1.50


MAC Flooding Attack MAC Flooding Attack MitigationMitigation

• Port SecurityPort Security– Capabilities are dependent on the platformCapabilities are dependent on the platform– Allows you to specify MAC addresses for Allows you to specify MAC addresses for

each port, or to learn a certain number of each port, or to learn a certain number of MAC addresses per portMAC addresses per port

– Upon detection of an invalid MAC the switch Upon detection of an invalid MAC the switch can be configured to block only the can be configured to block only the offending MAC or just shut down the port.offending MAC or just shut down the port.

– Port security prevents macof from flooding Port security prevents macof from flooding the CAM table.the CAM table.

VLAN Hopping AttacksVLAN Hopping Attacks


VLAN “Hopping” AttacksVLAN “Hopping” Attacks• Trunk ports have access to all VLANs by defaultTrunk ports have access to all VLANs by default• Used to route traffic for multiple VLANs across the same Used to route traffic for multiple VLANs across the same

physical linkphysical link• Encapsulation can be 802.1Q or ISLEncapsulation can be 802.1Q or ISL

Trunk Trunk PortPort


Dynamic Trunk ProtocolDynamic Trunk Protocol• What is DTP?What is DTP?

– Automates ISL/802.1Q trunk Automates ISL/802.1Q trunk configurationconfiguration

– Operates between switchesOperates between switches– Not supported on 2900XL or Not supported on 2900XL or

3500XL3500XL• DTP synchronizes the DTP synchronizes the

trunking mode on link endstrunking mode on link ends• DTP state on ISL/1Q trunking DTP state on ISL/1Q trunking

port can be set to “Auto”, port can be set to “Auto”, “On”, “Off”, “Desirable”, or “On”, “Off”, “Desirable”, or “Non-Negotiate”.“Non-Negotiate”.

Dynamic Trunk

Protocol

DST MACDST MACDST MACDST MAC 0100.0ccc.cccc0100.0ccc.cccc0100.0ccc.cccc0100.0ccc.cccc

SNAP ProtoSNAP ProtoSNAP ProtoSNAP Proto 0x20040x20040x20040x2004


Basic VLAN Hopping Basic VLAN Hopping AttackAttack

• A station can spoof as a switch with ISL or A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually 802.1Q signaling (DTP signaling is usually required as well, or a rogue DTP speaking switch)required as well, or a rogue DTP speaking switch)

• The station is then member of all VLANsThe station is then member of all VLANs• Requires a trunking favorable setting on the portRequires a trunking favorable setting on the port




Double Encapsulated Double Encapsulated 802.1q VLAN Hopping 802.1q VLAN Hopping

AttackAttack

• Send double encapsulated 802.1Q framesSend double encapsulated 802.1Q frames• Switch performs only one level of decapsulationSwitch performs only one level of decapsulation• Unidirectional traffic onlyUnidirectional traffic only• Works even if trunk ports are set to offWorks even if trunk ports are set to off

Strip off First, and Strip off First, and Send Back outSend Back out

Note: Only works if trunk Note: Only works if trunk has the same native VLAN has the same native VLAN

as the attackeras the attacker

802.1q, 802.1q

802.1q, Frame

Frame


Double Encap 802.1Q Double Encap 802.1Q Ethereal CaptureEthereal Capture

Outer Tag, Attacker Outer Tag, Attacker VLANVLAN

Inner Tag, Attacker Inner Tag, Attacker VLANVLAN


Disabling Auto-TrunkingDisabling Auto-Trunking

• Defaults change depending on switch; Defaults change depending on switch; always check.always check.


Security for VLANS and Security for VLANS and TrunkingTrunking

• AlwaysAlways use a dedicated VLAN ID for all use a dedicated VLAN ID for all trunk portstrunk ports

• Disable unused ports and put them in an Disable unused ports and put them in an unused VLANunused VLAN

• Be paranoid: Do not use VLAN 1 for Be paranoid: Do not use VLAN 1 for anythinganything

• Set all user ports to non-trunking (DPT Set all user ports to non-trunking (DPT Off)Off)

ARP AttacksARP Attacks


ARP RefresherARP Refresher• An ARP request An ARP request

message should be message should be placed in a frame and placed in a frame and broadcast to all broadcast to all computers on the computers on the networknetwork

• Each computer receives Each computer receives the request and the request and examines the IP addressexamines the IP address

• The computer The computer mentioned in the mentioned in the request sends a request sends a response; all other response; all other computers process and computers process and discard the request discard the request without sending a without sending a response.response.

VVVV ZZZZYYYYXXXXWWWW




Gratuitous ARPGratuitous ARP• Gratuitous ARP is used by hosts to “announce” Gratuitous ARP is used by hosts to “announce”

their IP address to the local network and avoid their IP address to the local network and avoid duplicate IP addresses on the network; routers duplicate IP addresses on the network; routers and other network hardware may use cache and other network hardware may use cache information gained from gratuitous ARPsinformation gained from gratuitous ARPs

• Gratuitous ARP is a broadcast packet (like an Gratuitous ARP is a broadcast packet (like an ARP request)ARP request)

• Host W: Hey everyone I’m host W and my IP Host W: Hey everyone I’m host W and my IP address is: 1.2.3.4 and my MAC address is address is: 1.2.3.4 and my MAC address is 12:34:56:78:9A:BC 12:34:56:78:9A:BC



Misuse of Gratuitous ARPMisuse of Gratuitous ARP• ARP has no security or ownership of IP or MAC addressARP has no security or ownership of IP or MAC address• What if we did the following?What if we did the following?

• Host WHost W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC• (Wait 5 seconds)(Wait 5 seconds)• Host WHost W broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC broadcasts I’m 1.2.3.1 with MAC 12:34:56:78:9A:BC

Host Host Y .2Y .2

Host Host WW .4 .4

Host Host X .3X .3

1.2.3.0/241.2.3.0/24

.1.1


Hands On ExampleHands On Example• Host X and Y will likely ignore the message unless they Host X and Y will likely ignore the message unless they

currently have an ARP table entry for 1.2.3.1currently have an ARP table entry for 1.2.3.1

• When host Y requests the MAC of 1.2.3.1 the real router When host Y requests the MAC of 1.2.3.1 the real router will reply and communications will work until host W sends will reply and communications will work until host W sends a gratuitous ARP againa gratuitous ARP again

• Even a static ARP entry for 1.2.3.1 on Y will get Even a static ARP entry for 1.2.3.1 on Y will get overwritten by the gratuitous ARP on some OSs (NT4 and overwritten by the gratuitous ARP on some OSs (NT4 and Win2k)Win2k)

Host Host Y .2Y .2

Host Host WW .4 .4

Host Host X .3X .3

1.2.3.0/241.2.3.0/24

.1.1


Dsniff Dsniff

• ARP SpoofingARP Spoofing• MAC floodingMAC flooding• Selective sniffingSelective sniffing• SSH/SSL interceptionSSH/SSL interception


Hands On - ArpspoofHands On - Arpspoof


ArpspoofArpspoof

• All traffic now flows through machine All traffic now flows through machine running dsniff in a half-duplex mannerrunning dsniff in a half-duplex manner

• Port security does not helpPort security does not help• Note that the attack could be generated Note that the attack could be generated

in the opposite direction by spoofing the in the opposite direction by spoofing the destination host when the router sends destination host when the router sends its ARP requestits ARP request

• Attack could be more selective and Attack could be more selective and spoof just one victimspoof just one victim


Selective SniffingSelective Sniffing• Once the dsniff box has started the arpspoof Once the dsniff box has started the arpspoof

process, the magic begins:process, the magic begins:

Supports more than 30 standardized/proprietary protocolsSupports more than 30 standardized/proprietary protocols• FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP,

SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, Microsoft SQLSQL*Net, Sybase, Microsoft SQL


SSL/SSH InterceptionSSL/SSH Interception

• Using dnsspoof all web sites can resolve to the Using dnsspoof all web sites can resolve to the dsniff host IP address:dsniff host IP address:

• Once that happens you can proxy all web Once that happens you can proxy all web connections through the dsniff hostconnections through the dsniff host


SSL/SSH InterceptionSSL/SSH Interception• Using dsniff (webmitm) most SSL sessions can be Using dsniff (webmitm) most SSL sessions can be

intercepted and bogus certificate credentials can intercepted and bogus certificate credentials can be presentedbe presented


SSL/SSH InterceptionSSL/SSH Interception

• Upon inspection Upon inspection they will look they will look invalid but they invalid but they would likely fool would likely fool most usersmost users

invalidinvalid


The Evolution of dsniff: The Evolution of dsniff: EttercapEttercap

• Similar to dsniff though not as many Similar to dsniff though not as many protocols supported for sniffingprotocols supported for sniffing

• Can ARP spoof both sides of a session to Can ARP spoof both sides of a session to achieve full-duplex sniffingachieve full-duplex sniffing

• Allows command insertion into Allows command insertion into persistent TCP sessionspersistent TCP sessions

• Menu driven interface Menu driven interface


It Doesn’t Get Much It Doesn’t Get Much Easier…Easier…


ARP Spoof Mitigation: ARP Spoof Mitigation: Private VLANsPrivate VLANs

• PVLANs isolate PVLANs isolate traffic in traffic in specific specific communities to communities to create distinct create distinct “networks” “networks” within a normal within a normal VLANVLAN

• Note: Most Note: Most inter-host inter-host communication communication is disabled with is disabled with PVLANS turned PVLANS turned onon

• PVLANs isolate PVLANs isolate traffic in traffic in specific specific communities to communities to create distinct create distinct “networks” “networks” within a normal within a normal VLANVLAN

• Note: Most Note: Most inter-host inter-host communication communication is disabled with is disabled with PVLANS turned PVLANS turned onon CommunitCommunit

y ‘A’y ‘A’CommunitCommunit

y ‘B’y ‘B’Isolated Isolated

PortsPorts

PromiscuouPromiscuous Ports Port

PromiscuouPromiscuous Ports PortPrimary VLANPrimary VLAN

Community VLANCommunity VLANCommunity VLANCommunity VLANIsolated VLANIsolated VLAN

Only One Subnet!Only One Subnet!


ARP Spoof MitigationARP Spoof Mitigation

• Some IDS systems will watch for an Some IDS systems will watch for an unusually high amount of ARPunusually high amount of ARP

• ARPWatch is a freely available tool that ARPWatch is a freely available tool that will track IP/MAC address pairingswill track IP/MAC address pairings

• Consider static ARP for critical routers Consider static ARP for critical routers and hosts and hosts (potential administrative pain)(potential administrative pain)

Spanning Tree AttacksSpanning Tree Attacks


Spanning Tree BasicsSpanning Tree Basics STP purpose: To maintain loop-free topologies STP purpose: To maintain loop-free topologies

in a redundant Layer 2 infrastructurein a redundant Layer 2 infrastructureA switch is A switch is

elected as Rootelected as Root Root selection is Root selection is based on the based on the lowest lowest configured configured priority of any priority of any switch 0-65535switch 0-65535

XXBB FFFF

FF FF

FF BB

RootRoot

A ‘Tree-Like’ loop-free A ‘Tree-Like’ loop-free topology is topology is

established from the established from the perspective of the perspective of the

root bridgeroot bridge

AA

STP is very simple. Messages are sent using Bridge Protocol STP is very simple. Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages include: configuration, Data Units (BPDUs). Basic messages include: configuration, topology change notification/acknowledgement (TCN/TCA); topology change notification/acknowledgement (TCN/TCA); most have no “payload”.most have no “payload”.

Avoiding loops ensures broadcast traffic does not become storms


Spanning Tree Attacks and Spanning Tree Attacks and MethodsMethods

• Standard 802.1d STP takes 30-Standard 802.1d STP takes 30-45 seconds to deal with a failure 45 seconds to deal with a failure or root bridge change (ha ha or root bridge change (ha ha ha… DoS served here)ha… DoS served here)– Generally only devices affected Generally only devices affected

by the failure notice the issueby the failure notice the issue– PortFast and UplinkFast can PortFast and UplinkFast can

greatly improve thisgreatly improve this• Sending BPDUs from the Sending BPDUs from the

attacker can force these attacker can force these changes and create a DoS changes and create a DoS condition on the networkcondition on the network

• As a link with macof: the TCN As a link with macof: the TCN message will result in the CAM message will result in the CAM table aging all entries in 15 table aging all entries in 15 seconds if they do not seconds if they do not communicate (the default is 300 communicate (the default is 300 seconds)seconds)

• Easy to create the DoS Easy to create the DoS condition. Depending on the condition. Depending on the topology it could yield additional topology it could yield additional packets for the attacker packets for the attacker


Spanning Tree Attack Spanning Tree Attack Example IExample I

• Send BPDU Send BPDU messages to messages to become root become root bridgebridge

ST

PS

TP

RootRootAccess SwitchesAccess Switches

STP STP

AttackerAttacker

FFFF

FFFF

FFFFFFFF

XXXX

FFFF

BBBB


Spanning Tree Attack Spanning Tree Attack Example IIExample II

• Send BPDU messages to Send BPDU messages to become root bridgebecome root bridge– The attacker then sees The attacker then sees

frames he shouldn’tframes he shouldn’t– MITM, DoS, etc. all possibleMITM, DoS, etc. all possible– Ant attack is very sensitive to Ant attack is very sensitive to

the original topology, the original topology, trunking, PVST, etc.trunking, PVST, etc.

• Although STP takes link speed Although STP takes link speed into consideration, it is into consideration, it is always done from the always done from the perspective of the root perspective of the root bridge. Taking a Gb backbone bridge. Taking a Gb backbone to half duplex 10 Mb has to half duplex 10 Mb has been verified.been verified.

• Requires the attacker to be Requires the attacker to be dual homed to two different dual homed to two different switches (with a hub, it can switches (with a hub, it can be done with just one be done with just one interface on the attacking interface on the attacking host)host) AttackerAttacker

FFFF

FFFF

FFFF

FFFF

FFFF

XXXXBBBB

RootRootRootRoot

Access SwitchesAccess Switches


Knowledge AppliedKnowledge Applied• Goal: See traffic on the Goal: See traffic on the

backbone but interesting backbone but interesting hosts have static ARP hosts have static ARP entries and are very chatty entries and are very chatty (macof will likely never (macof will likely never steal their CAM entry)steal their CAM entry)

• Step 1: MAC flood access Step 1: MAC flood access switchswitch

• Step 2: Run bridging Step 2: Run bridging software (i.e. brconfig) on software (i.e. brconfig) on attacking host; advertise attacking host; advertise as a priority zero bridgeas a priority zero bridge– Attacker becomes root Attacker becomes root

bridgebridge– Spanning tree recalculatesSpanning tree recalculates– GE backbone becomes FEGE backbone becomes FE– Cam table on access Cam table on access

switch is full (from macof); switch is full (from macof); there is no room at the inn there is no room at the inn for the chatty servers. for the chatty servers. Traffic is flooded.Traffic is flooded.

ST

PS

TP

AttackerAttacker

FFFF

FFFF

FFFF

FFFF

FFFF

XXXXBBBB

RootRootRootRoot

Access Access SwitchSwitch

FEFEFEFE

GEGEGEGE

FEFEFEFE


STP Attack MitigationSTP Attack Mitigation• Don’t disable STP, introducing a loop would Don’t disable STP, introducing a loop would

become another attack.become another attack.• BPDU GuardBPDU Guard

– Disables ports using portfast upon detection of a Disables ports using portfast upon detection of a BPDU message on the portBPDU message on the port

– Globally enabled on all ports running portfastGlobally enabled on all ports running portfast

• Root GuardRoot Guard– Disables ports who would become the root bridge Disables ports who would become the root bridge

due to their BPDU advertisementdue to their BPDU advertisement– Configured on a per port basisConfigured on a per port basis


VLAN Trunking Protocol VLAN Trunking Protocol (VTP)(VTP)

• Used to distribute VLAN configuration among Used to distribute VLAN configuration among switchesswitches

• VTP is used only over trunk portsVTP is used only over trunk ports• VTP can cause more problems than it solves, VTP can cause more problems than it solves,

consider if it is really neededconsider if it is really needed• If needed use the VTP MD5 digest: If needed use the VTP MD5 digest:


Potential VTP AttacksPotential VTP Attacks• After becoming a After becoming a

trunk port, an trunk port, an attacker could send attacker could send VTP messages as a VTP messages as a server with no VLANs server with no VLANs configured. All VLANs configured. All VLANs would be deleted would be deleted across the entire VTP across the entire VTP domaindomain

• Disabling VTP:Disabling VTP:

Other AttacksOther Attacks


Cisco Discovery Protocol Cisco Discovery Protocol (CDP)(CDP)

• Runs at layer 2 and Runs at layer 2 and allows Cisco devices to allows Cisco devices to chat with one anotherchat with one another

• Can be used to learn Can be used to learn sensible information sensible information about the CDP sender (IP about the CDP sender (IP address, software address, software version, router model….)version, router model….)

• CDP is in the clear and CDP is in the clear and unauthenticatedunauthenticated

• Considering disabling Considering disabling CDP, or being very CDP, or being very selective in its use in selective in its use in security sensitive security sensitive environments (backbone environments (backbone vs user port may be a vs user port may be a good distinction)good distinction)


CDP AttacksCDP Attacks

• Besides the information gathering Besides the information gathering benefit CDP offers an attacker, there benefit CDP offers an attacker, there was a vulnerability in CDP that allowed was a vulnerability in CDP that allowed Cisco devices to run out of memory and Cisco devices to run out of memory and potentially crash if you sent it tons of potentially crash if you sent it tons of bogus packets.bogus packets.

• Problem was due to a software Problem was due to a software implementation problem. A flaw in the implementation problem. A flaw in the memory allocation for the CDP process memory allocation for the CDP process (basically there was no upper limit).(basically there was no upper limit).


DHCP Starvation AttacksDHCP Starvation Attacks

• Anyplace where macof works, you can DoS a Anyplace where macof works, you can DoS a network by requesting all of the available DHCP network by requesting all of the available DHCP addressesaddresses

• With or without the DoS, an attacker could use With or without the DoS, an attacker could use a rogue DHCP server to provide addresses to a rogue DHCP server to provide addresses to clientsclients

• Since DHCP responses include DNS servers and Since DHCP responses include DNS servers and default gateway entries, guess where the default gateway entries, guess where the attacker would point these unsuspecting users?attacker would point these unsuspecting users?

• All the MITM attacks are now possibleAll the MITM attacks are now possible


Private VLAN Attacks IPrivate VLAN Attacks I

AttackerAttacker

Mac:A IP:1Mac:A IP:1

VictimVictim

Mac:B IP:2Mac:B IP:2

RouterRouter

Mac:C IP:3Mac:C IP:3

Promiscuous Promiscuous PortPort

Isolated portIsolated portS:A1 D:B2

S:A1 D:B2

XXXX

PVLANs Work Drop Packet


Private VLAN Attacks IIPrivate VLAN Attacks II

• Only allows unidirectional traffic (Victim will ARP for A and fail)Only allows unidirectional traffic (Victim will ARP for A and fail)• If both hosts were compromised, setting static ARP entries for each other If both hosts were compromised, setting static ARP entries for each other

via the router will allow bi-directional trafficvia the router will allow bi-directional traffic• Most firewalls will not forward the packet like a routerMost firewalls will not forward the packet like a router• This is not a PVLAN vulnerability as it enforces the rules!This is not a PVLAN vulnerability as it enforces the rules!

AttackerAttacker

Mac:A IP:1Mac:A IP:1

VictimVictim

Mac:B IP:2Mac:B IP:2

RouterRouter

Mac:C IP:3Mac:C IP:3

Promiscuous Promiscuous PortPort

Isolated portIsolated port

S:A1 D:B2S:A1 D:B2

S:A1 D:C2

S:A1 D:C2

S:A1 D:B2S:A1 D:B2

S:A1 D:B2S:A1 D:B2

PVLANs Work Drop Packet

Routers Route: Forward Packet


PVLAN Attack MitigationPVLAN Attack Mitigation

• Setup ACL on ingress router port:Setup ACL on ingress router port:

• All known PVLAN exploits will now failAll known PVLAN exploits will now fail• VLAN ACL could also be usedVLAN ACL could also be used


Multicast Brute-Force Multicast Brute-Force Failover AnalysisFailover Analysis

• Send random Ethernet multicast frames Send random Ethernet multicast frames to a switch interface attempting to get to a switch interface attempting to get frames to another VLANframes to another VLAN

M-cast

M-cast

Nice Try


Random Frame Stress Random Frame Stress AttackAttack

• Send random frames to a switch interface Send random frames to a switch interface attempting to get frames to another VLANattempting to get frames to another VLAN

Frame

Frame

Nice Try


Switch ManagementSwitch Management• Management can be your weakest linkManagement can be your weakest link• All the great mitigation techniques we talked All the great mitigation techniques we talked

about arent worth much if the attacker telnets about arent worth much if the attacker telnets into your switch and disables theminto your switch and disables them

• Most of the network management protocols are Most of the network management protocols are insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.)insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.)

• Consider secure variants of these protocols as Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP they become available (SSH, SCP, SSL, OTP etc.). Where impossible, consider out of band etc.). Where impossible, consider out of band management.management.

• Always use a dedicated VLAN ID for all trunksAlways use a dedicated VLAN ID for all trunks• Be paranoid: do not use VLAN 1 for anythingBe paranoid: do not use VLAN 1 for anything• Set all user ports to non trunkingSet all user ports to non trunking


Hacking CiscoHacking Cisco

Cisco Bugtraq VulnerabilitiesCisco Bugtraq Vulnerabilities

• 19981998 -- 33• 19991999 -- 55• 20002000 -- 2323• 20012001 -- 4646• 2002 (est) - 942002 (est) - 94


Hacking RoutersHacking Routers

Example Exploits:Example Exploits:•HTTP Authentication VulnerabilityHTTP Authentication Vulnerability

– using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. administrative access.

•NTP VulnerabilityNTP Vulnerability– By sending a crafted NTP control packet, it is possible to trigger a buffer By sending a crafted NTP control packet, it is possible to trigger a buffer

overflow in the NTP daemonoverflow in the NTP daemon

•SNMP Parsing VulnerabilitySNMP Parsing Vulnerability– Malformed SNMP messages received by affected systems can cause various Malformed SNMP messages received by affected systems can cause various

parsing and processing functions to fail, which results in a system crash and parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not reload. In some cases, access-list statements on the SNMP service do not protect the deviceprotect the device


Hacking RoutersHacking Routers

When a router is hacked it allows an When a router is hacked it allows an attacker toattacker to

•DoS or disable the router & network…DoS or disable the router & network…•Compromise other routers… Compromise other routers… •Bypass firewalls, IDS systems, etc…Bypass firewalls, IDS systems, etc…•Monitor and record all outgoing an Monitor and record all outgoing an

incoming traffic…incoming traffic…•Redirect whatever traffic they desire…Redirect whatever traffic they desire…

network security part ii: attacks layer 2 / 3 attacks

Documents