النتائج 1 إلى 7 من 7

الموضوع: LAYER 2 SWITCHING ATTACKS AND MITIGATION

  1. #1
    عضو الصورة الرمزية CiscoCertified
    تاريخ التسجيل
    Jun 2007
    المشاركات
    558
    معدل تقييم المستوى
    0

    LAYER 2 SWITCHING ATTACKS AND MITIGATION



    LAYER 2 SWITCHING ATTACKS AND MITIGATION
    from CiscoCertified , October 2008
    ################################################## ######



    1. INTRODUCTION
    ############
    This memorandum aims to describe the list of security threats and counter measure that might be identified on an 802.1q ethernet switch based network.
    Switch based network are layer 2 networks, this lead to an inside network attack risk.

    For the guys who are still using LANE over ATM networks these attacks are achievable as well!!!



    2. BASICS LAYER 2 KNOWN ATTACKS
    #########################
    Attacks described below are applicable to any ethernet switch based network and are based on common and basic switching functions.

    2.1 CAM OVERFLOW / MAC FLOODING

    2.1.1 ETHERNET SWITCHING BASICS
    The main difference between HUB and switch is the forwarding of unicast packet. The switch learn about the frames transmitted through its ports and cache information about hosts connected to it.
    Information such as MAC addresses available on physical ports with their associated VLAN parameters are stored into the CAM table (Content Addressable Memory).

    Let take an example in a private VLAN; 3 hosts A, B & C are connected to 3 differents switched ports. When host A send data to host B through port 1, the switch learn that host A is located on port 1 and cache it into the CAM. If host B never sent a packet, the switch is not able to locate host B and will flood the packet originated by A to all VLAN ports.

    When B is replying to A on port 2, the switch learn that host B is located on port 2 and cache it into the CAM. The packet is forwarded to host A on port 1 and host C will not receive that packet.

    Next time A sent a packet to host B, it will be exclusively forwarded to port 2 and host C will know nothing about it.

    2.1.2 CAM OVERFLOW ATTACK
    Because memory is not unlimited, the CAM table has a fixed size. This fact allows the switch to be exploited for sniffing purposes. On some switches, it is possible to bombard the switch with bogus MAC address data. The switch, not knowing how to handle the excess data, will 'fail open'. That is, it will revert to a hub and will broadcast all network frames to all ports.
    In 1999, the MACOF tool (MAC OverFlow) had been created for that purpose. It is capable to generate about 155000 ethernet packets per minute with randomized MAC source. As an example CISCO catalyst CAM table size is 131 052 entries.
    At this point, one of the more generic network sniffers will work to spy the VLAN segment, the attacker is also able to drive a DoS attack by sending data floods broadcasted over the VLAN slowing down drastically the switch and hosts performances.
    It is interesting to note that the CAM is common to all VLAN therefore there are all compromised, if an attacker as access to only one VLAN he will be able to sniff only that one but may DoS the whole network.
    Therefore this attack compromise confidentiality and user services on a ethernet switch.

    2.1.3 ATTACK MITIGATION
    1. Some switches allow to limit the number of MAC addresses learn through a port. If host are directly connected to the switch this function will surely protect the system by limiting the number to a single. In that case the attacker will DoS himself by driving such an attack. If a hub is connected to the switch all users using that very hub may be DoSed.

    2. Most switches implement port security functions based on static MAC adresses. But this procedure is very heavy as a management point of view. Even more is users are mobile in the network.

    2.2 ARP SPOOFING

    2.2.1 PRINCIPE
    One of the basic operations of the Ethernet protocol revolves around ARP (Address Resolution Protocol) requests and replies. In general, when Node A wants to communicate with Node C on the network, it sends an ARP request. Node C will send an ARP reply which will include the MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner.
    It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A. This fake ARP reply will specify that Node B has the MAC address of Node C. Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address.
    Some available tools are specialized for sending fake ARP replies to classes of machines (i.e., NFS servers, HTTP servers, etc). One such tool is dsniff and it works well to sniff for specific types of traffic. Other tools listen for the general ARP request and send the fake ARP reply at that time.
    The parasite program falls into this category and it serves well to sniff the entire network. For this type of attack to work, we need the ability to forward on the frames we receive to their intended host. This is most commonly achieved through some type of IP forwarding, either at the kernel or application level.

    2.2.2 ARP SPOOFING FOR SNIFFING PURPOSES
    An attacker may compromise the confidentiality of IP connections transmitted on the VLAN he is connected to by sniffing data transfer avoiding been detected. As an example the ethernet target spoofed may be the gateway (e.g. routeur).
    The attacker spoof the routeur MAC address by either sending a gratuitous ARP saying that packet to the outside world should be forwarded to the attacker MAC address. Note that IP duplication may alert the administrator but ARP request transmitted by a router are very few because the ARP caching time for such device may be huge (e.g. 8 hours for default CISCO router configuration)

    Then all packets originated by a local victim is forwarded to the attacker machine. In order to be undetectable the attacker shall re forward those packet to the real routeur otherwise the outside world connectivity is denied.

    The attacker machine behaves like a proxy and provides a half-duplex sniffer for the whole VLAN segment.
    In the case of the attacker is willing to sniff a specific host in a full-duplex manner he can use exactly the same technique for spoofing the victim, therefore data exchange from outside world to the victim may be sniffed in both directions.

    2.2.3 ARP SPOOFING FOR ANONYMITY AND DOS PURPOSES
    ARP spoofing may be use in a different way in order to receive data to a victim usurping its addresses.
    If the victim is a host then the attacker will be able to appear like the victim and receive data such as e-mail or database resulting in Denial of Service for the victim, a lack of confidentiality and anonymity for the attacker (because he is usurping the victim network characteristics).
    In order to avoid IP address duplication between the attacker machine and the victim, the victim host may be DoSed.
    If the victim is the routeur; outside connectivity will be denied for the whole VLAN segment.

    2.2.4 ATTACK MITIGATION
    There is no real solution to mitigate that attack but it can be detected thanks to Intrusion Detection System (IDS).

    2.3 MAC DUPLICATING
    It's not difficult to imagine that, since all frames on the network are routed based on their MAC address, that the ability to impersonate another host would work to our advantage. That's just what MAC duplicating does. You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff. This is easy to do.
    This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache. In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address.

    2.4 VLAN HOPPING ATTACK

    2.4.1 PRINCIPE
    This attack highly depends on platform implementation. The idea is to send data from a user port with 802.1q encapsulation, please note that the port is not a trunk and should transmit only 802.3 or EthernetII frames.
    Doing that on a single switch whatever the VLAN ID used the frame will never be forwarded to destination. But in a multiple switch configuration a trunk implementation may be exploit. Trunk ports may be set implicitly to a VLAN_ID (CISCO default native VLAN for trunk is VLAN 1). Therefore when a user port send a packet to a destination located into a distant switch and that very packet is encapsulated into 802.1q format with the native VLAN ID, it will be forwarded to the distant switch.
    In order to achieve this attack:
    - the attacker shall know what the victim MAC address and VLAN.
    - the attacker must belongs to the trunk native VLAN
    - The packet need a double encapsulation to reach the victim, the first one is based on the native VLAN the second on the victim VLAN.
    Thanks to that attack a unidirectional malicious stream may be generated to the victim from the attacker. It is a blind attack similar to IP spoofing attack.

    2.4.2 ATTACK MITIGATION
    The trunk native VLAN must be identified and other port than trunk port shall be removed from that one.



    3. ADVANCED LAYER 2 KNOWN ATTACKS
    ###########################
    3.1 SPANNING TREE ATTACK
    3.1.1 PRINCIPE
    The goal of this attack is to sniff traffic on the backbone but interesting hosts located on distant switches and have static ARP entries to prevent against ARP spoofing attack.
    The STP (Spanning Tree Protocol) attack idea is to fool a network composed by several ethernet switches by force all switches to forward packets to the attacker machine.
    In order to do that the Attacker sends a BPDU packet advertising a priority zero bridge (root bridge) to the switch he is connected to. Therefore traffic that should normally go through a distant link are transmitted across the attacker local switch. Then thanks to the CAM overflow attack he may sniff distant data (cf. figure).

    3.1.2 ATTACK MITIGATION
    Spanning tree functions must be disabled on all user interfaces but maintained for Network to Network Interfaces to avoid loop.

    3.2 VIRTUAL TRUNK PROTOCOL ATTACK
    3.2.1 PRINCIPE
    VTP is a protocol used to distribute VLAN configuration among switches aver trunk port, if an attacker becomes a trunk port he could use that protocol to configure at will the whole network. For instance he might send VTP messages faking to be a VTP server with no with no VLAN configured, as a result all VLAN configured with VTP will be deleted across the entire VTP domain. That's a huge DoS attack.

    3.2.2 ATTACK MITIGATION
    Don't use VTP!

    3.3 VMPS ATTACK
    3.3.1 PRINCIPE
    The aim of VLAN Management Policy Server is to assign dynamically VLAN basing on MAC address, IP address or HTTP authentication (URT). VMPS is centralizing host information in a database which is downloaded to servers via TFTP. VMPS uses VLAN Query Protocol (VQP) for client/server exchanges which is unauthenticated and runs over UDP.
    All VMPS traffic is in clear text, unauthenticated and over UDP, therefore that protocol may be easily misused for hijacking purposes.

    3.3.2 ATTACK MITIGATION
    VMPS traffic shall be transmitted on a Out Of Band basis (user traffic separate network) or not used.

    3.4 DHCP STARVATION ATTACK
    3.4.1 PRINCIPE
    Using the MAC overflow attack an attacker is able to DoS the network by requesting all of the available DHCP adresses.

    3.4.2 ATTACK MITIGATION
    Same counter measure than for MAC overflow attack.

    3.5 DHCP ROGUE ATTACK
    3.5.1 PRINCIPE
    The attacker could turn its machine to a rogue DHCP server and provide address to the VLAN clients. DHCP server assigns IP address as well as default gateway address and DNS address. Therefore, the attacker may force all traffic to go through its own machine (by assigning the default gateway as its own address) for sniffing purpose.

    3.5.2 ATTACK MITIGATION
    There is no real mitigation known. RFC 3118 "Authentication for DHCP messages " should help but is not widely implemented by DHCP servers.

  2. #2
    عضو
    تاريخ التسجيل
    Apr 2007
    المشاركات
    532
    معدل تقييم المستوى
    0

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION

    Thanx alooot Terkii

  3. #3
    عضو
    تاريخ التسجيل
    Jan 2006
    المشاركات
    135
    الدولة: Egypt
    معدل تقييم المستوى
    0

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION

    والله خبر كويس بارك الله فيك
    الف شكر

  4. #4
    عضو فضي الصورة الرمزية hisham_munshar
    تاريخ التسجيل
    Nov 2006
    المشاركات
    2,595
    الدولة: Palestinian Territory
    معدل تقييم المستوى
    14

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION

    مشكور و بارك الله فيك

  5. #5
    عضو برونزي الصورة الرمزية mahmoud saad
    تاريخ التسجيل
    Jan 2008
    المشاركات
    1,188
    معدل تقييم المستوى
    12

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION

    جزاك الله خيرا
    كنا نتمني شرحه بالعربي مع الاستعانه بالمصطلحات الانجليزيه ؟
    [URL="http://img193.imageshack.us/i/ubuntuuser2php.png/"]
    [/URL]

  6. #6
    عضو الصورة الرمزية CiscoCertified
    تاريخ التسجيل
    Jun 2007
    المشاركات
    558
    معدل تقييم المستوى
    0

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION

    اقتباس المشاركة الأصلية كتبت بواسطة zezo1901 مشاهدة المشاركة
    والله خبر كويس بارك الله فيك
    الف شكر
    No Comment

  7. #7
    عضو الصورة الرمزية CiscoCertified
    تاريخ التسجيل
    Jun 2007
    المشاركات
    558
    معدل تقييم المستوى
    0

    رد: LAYER 2 SWITCHING ATTACKS AND MITIGATION



    مشكورين على المرور ياشباب

    وأي سؤال أو مناقشه أنا حاضر

المواضيع المتشابهه

  1. شرح هجمات حجب الخدمة DOS Attacks
    بواسطة sherif-magdy في المنتدى الأرشيف
    مشاركات: 0
    آخر مشاركة: 07-01-2013, 22:06
  2. Is ARP Layer 2 or Layer 3 protocol
    بواسطة new_for_ever في المنتدى الأرشيف
    مشاركات: 8
    آخر مشاركة: 20-11-2009, 15:48
  3. بحث عن network attacks بالعربي
    بواسطة الحوت990 في المنتدى الأرشيف
    مشاركات: 3
    آخر مشاركة: 05-10-2009, 16:04
  4. WoldLists for Dictionary Attacks and Recovery
    بواسطة C|EH في المنتدى السوفتوير العام
    مشاركات: 15
    آخر مشاركة: 06-09-2007, 00:37
  5. ما معني Layer 2 or layer 3 في ال switch --للافاده
    بواسطة Mshazly2003 في المنتدى الأرشيف
    مشاركات: 10
    آخر مشاركة: 24-10-2003, 09:40

الكلمات الدلالية لهذا الموضوع

المفضلات

ضوابط المشاركة

  • لا تستطيع إضافة مواضيع جديدة
  • لا تستطيع الرد على المواضيع
  • لا تستطيع إرفاق ملفات
  • لا تستطيع تعديل مشاركاتك
  •