Understanding, Preventing, and Defending Against Layer 2 Attacks
Yusuf Bhaiji
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Caveats
All attacks and mitigation techniques assume a switched Ethernet network running IPIf it is a shared Ethernet access (WLAN, Hub, etc) most of these attacks get much easierIf you are not using Ethernet as your L2 protocol, some of these attacks may not work, but chances are, you are vulnerable to different types of attacks
New theoretical attacks can move to practical in days
All testing was done on Cisco Ethernet SwitchesEthernet switching attack resilience varies widely from vendor to vendor
This is not a comprehensive talk on configuring Ethernet switches for security: the focus is mostly access L2 attacks and their mitigation
These are IPv4 only attacks today
There are data center sessions for security, this is access ports for users
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Why Worry About Layer 2 Security?
Host B
Host A
Physical Links
MAC Addresses
IP Addresses
Protocols/Ports
Application Stream
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other
Lower Levels Affect Higher Levels
Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem
Security is only as strong as the weakest link
When it comes to networking, layer 2 can be a veryweak link
POP3, IMAP, IM, SSL, SSH
Physical Links
IP Addresses
Protocols/Ports
Initial Compromise
Application Stream
Compromised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Who Owns VLANS? NetOPS/SecOPS?
Questions
Security Policy for VLANs
Do you use VLANS often
Do you use VLANs for security?
What addresses are assigned per VLAN?
We have L2 security issues?
I use them all the time
Routing in and out of the same switch are fine, that is why we have a Layer 3 switch
Security Guy asks for a segment, I make a VLAN and give it some addresses
NetOPS
SecOPS
I handle it at L3 and above
I have no idea how often
It is a switch, why would I care?
I ask NetOPS they, they give me Ports and addresses
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Basic Trunk Port Defined
Trunk ports have access to all VLANS by default
Used to route traffic for multiple VLANS across the same physical link (generally between switches or phones)
Encapsulation can be 8021q or ISL
VLAN 10
VLAN 20
Trunk With:
Native VLAN
VLAN 10
VLAN 20
VLAN 20
VLAN 10
UPC
UPC
UPC
UPC
Dynamic Trunk Protocol (DTP)
What is DTP?Automates 8021x/ISL Trunk configurationOperates between switches (Cisco IP phone is a switch)Does not operate on routersSupport varies, check your device
DTP synchronizes the trunking mode on end links
DTP state on 8021q/ISL trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non-Negotiate”
DynamicTrunkProtocol
Basic VLAN Hopping Attack
An end station can spoof as a switch with ISL or 8021q
The station is then a member of all VLANs
Requires a trunking configuration of the Native VLAN to be VLAN 1
VLAN 10
Trunk With:Native VLANVLAN 10VLAN 20
VLAN 20
VLAN 10
Trunk With:
Native VLAN
VLAN 10
VLAN 20
UPC
UPC
UPC
UPC
Double 8021q Encapsulation VLAN Hopping Attack
Send 8021q double encapsulated frames
Switch performs only one level of decapsulation
Unidirectional traffic only
Works even if trunk ports are set to off
Strip Off First, and Send Back Out
8021q Frame
UPC
UPC
UPC
UPC
Note: Only Works if Trunk Has the Same VLAN as the Attacker
Security Best Practices for VLANs and Trunking
Always use a dedicated VLAN ID for all trunk ports
Disable unused ports and put them in an unused VLAN
Be paranoid: do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the Native VLAN on trunks
Use PC Voice VLAN Access on phones that support it
Use 8021q tag all on the trunk port
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
MAC Address/CAM Table Review
CAM table stands for Content Addressable Memory
The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters
All CAM tables have a fixed size
00000cXXXXXX
48 Bit Hexadecimal Number Creates Unique Layer Two Address
123456789ABC
First 24 bits = Manufacture CodeAssigned by IEEE
Second 24 bits = Specific Interface, Assigned by Manufacture
00000cXXXXXX
All Fs = Broadcast
FFFFFFFFFFFF
Normal CAM Behavior (1/3)
MAC A
Port 1
Port 2
Port 3
MACPort
A1
C3
ARP for B
B Is UnknownFlood the Frame
UPC
MAC B
MAC C
UPC
UPC
Normal CAM Behavior (2/3)
MAC A
Port 1
Port 2
Port 3
A Is on Port 1
Learn:
B Is on Port 2
I Am MAC B
MACPort
A1
C3
B2
UPC
MAC B
MAC C
UPC
UPC
Normal CAM Behavior (3/3)
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
Traffic A -> B
B Is on Port 2
Does Not See Traffic to B
MACPortA1B2C3
UPC
UPC
UPC
CAM Overflow (1/2)
macof tool since 1999About 100 lines of perlIncluded in “dsniff”
Attack successful by exploiting the size limit on CAM tables
Yersiniaflavor of the month attack tool
CAM Overflow (2/2)
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MACPort
A1
B2
C3
Y Is on Port 3
Z Is on Port 3
Y3
Z3
Traffic A -> B
I See Traffic to B!
Assume CAM Table Now Full
UPC
UPC
UPC
Mac Flooding Switches with macof
Macof sends random source MAC and IP addresses
Much more aggressive if you run the command“macof -i eth1 2> /dev/null” macof (part of dsniff)http://monkeyorg/~dugsong/dsniff/
macof i eth136:a1:48:63:81:70 15:26:8d:4d:28:f8 000026413 > 000049492: S 1094191437:1094191437(0) win 51216:e8:8:0:4d:9c da:4d:bc:7c:ef:be 000061376 > 000047523: S 446486755:446486755(0) win 51218:2a:de:56:38:71 33:af:9b:5:a6:97 000020086 > 00006728: S 105051945:105051945(0) win 512e7:5c:97:42:ec:1 83:73:1a:32:20:93 000045282 > 000024898: S 1838062028:1838062028(0) win 51262:69:d3:1c:79:ef 80:13:35:4:cb:d0 000011587 > 00007723: S 1792413296:1792413296(0) win 512c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 000019784 > 000057433: S 1018924173:1018924173(0) win 51288:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0000283 > 000011466: S 727776406:727776406(0) win 512b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 000032650 > 000011324: S 605528173:605528173(0) win 512e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 000036346 > 000055700: S 2128143986:2128143986(0) win 512
CAM Table Full
Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN
This will turn a VLAN on a switch basically into a hub
This attack will also fill the CAM tables of adjacent switches
101122 -> (broadcast)  ARP C Who is 10111, 10111 ?
101122 -> (broadcast)  ARP C Who is 101119, 101119 ?
101126 -> 101125    ICMP Echo request (ID: 256 Sequence number: 7424) OOPS
101125 -> 101126    ICMP Echo reply (ID: 256 Sequence number: 7424)OOPS
Countermeasures for MAC Attacks
pe02393_
Solution:
Port security limits MAC flooding attack and locks down port and sends an SNMP trap
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:bb
132,000 Bogus MACs
Only 1 MAC Addresses Allowed on the Port: Shutdown
pe02393_
Port Security Limits the Amount of MACs on an Interface
Countermeasures for MAC Attackswith IP Phones
Phones can use 2 or 3 depending on the switch hardware and softwareSome switches look at the CDP traffic and some don’t, if they don’t, they need 2, if they do they need 3Some hardware (3550) will always need 3
Default config is disable port, might want to restrict for VoIP
This feature is to protect that switch, you can make the number anything you like as long as you don’t overrun the CAM table
Could use 2 or 3 MAC Addresses Allowed on the Port: Shutdown
pe02393_
IP Phone
Port Security: Example Config
Number is not to control access, it is to protect the switch from attack
Depending on security policy, disabling the port might be preferred, even with VoIP
Aging time of two and aging type inactivity to allow for phone CDP of one minute
CatOS
set port security 5/1 enable
set port security 5/1 port max 3
set port security 5/1 violation restrict
set port security 5/1 age 2
set port security 5/1 timer-type inactivity
IOS®
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
If Violation Error-Disable, the Following Log Message Will Be Produced: 4w6d: %PM-4-ERR_DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
Will Enable Voice to Work Under Attack
New Features for Port Security
Per port per VLAN max MAC addresses
Restrict now will let you know something has happenedyou will get an SNMP trap Everyone asked so Cisco did it
IOS®switchport port-security switchport port-security maximum 1 vlan voiceswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security aging time 2 switchport port-security aging type inactivitysnmp-server enable traps port-security trap-rate 5
New Commands
Port Security
In the past you would have to type in the onlyMAC you were going to allow on that port
You can now put a limit to how many MAC address a port will learn
You can also put timers in to state how long the MAC address will be bound to that switch port
You might still want to do static MAC entries on ports that there should be no movement of devices, as in server farms
CHANGE XXX called “Sticky Port Security”, settings will survive reboot (not on all switches)
Not All Port Security Created Equal
Port Security: What to Expect
The performance hit seen with multiple attacks happening at one time is up to 99% CPU utilization
Because the process is a low priority, on all switches packets were not dropped
Telnet and management were still available
Would want to limit the SNMP message, don’t want 1000’s
Voice MOS scores under attack were very good, as long as QoS was configured
MOSMean Opinion Scorehttp://enwikipediaorg/wiki/Mean_Opinion_Score
Notice: When Using the Restrict Feature of Port Security, if the Switch Is Under Attack, You Will See a Performance Hit on the CPU
Building the Layers
Port Security prevents CAM attacks and DHCP starvation attacks
Port Security
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
DHCP Function: High Level
Server dynamically assigns IP address on demand
Administrator creates pools of addresses available for assignment
Address is assigned with lease time
DHCP delivers other configuration information in options
Send My Configuration Information
Client
IP Address: 101010101Subnet Mask: 2552552550Default Routers: 1010101DNS Servers: 192168104, 192168105Lease Time: 10 days
Here Is Your Configuration
UPC
File Server_Updated2005
DHCP Server
DHCP Function: Lower Level
DHCP defined by RFC 2131
DHCP Server
Client
DHCP Discover (Broadcast)
DHCP Offer (Unicast)
DHCP Request (Broadcast)
DHCP Ack (Unicast)
UPC
File Server_Updated2005
DHCP Function: Lower Level
DHCP Request/Reply Types
Message
Use

DHCPDISCOVER
Client Broadcast to Locate Available Servers

DHCPOFFER
Server to Clientin Response to DHCPDISCOVER with Offer of Configuration Parameters

DHCPREQUEST
Client Message to Servers Either (a) Requesting Offered Parameters from One Server and Implicitly Declining Offers from All Others, (b) Confirming Correctness of Previously Allocated Address After, eg, System Reboot, or (c) Extending the Lease on a Particular Network Address

DHCPACK
Server to Client with Configuration Parameters, Including Committed Network Address

DHCPNAK
Server to ClientIndicating Client’s Notion of Network Address Is Incorrect (eg, Client Has Moved to New Subnet) or Client’s Lease As Expired

DHCPDECLINE
Client to Server Indicating Network Address Is Already in Use

DHCPRELEASE
Client to Server Relinquishing Network Address and Canceling Remaining Lease

DHCPINFORM
Client to Server, Asking Only for Local Configuration Parameters; Client Already Has Externally Configured Network Address

DHCP Function: Lower Level
Transaction ID (XID)
OP Code
HardwareType
Hardware
Length
HOPS
Your IP Address (YIADDR)
Seconds
Client IP Address (CIADDR)
Server IP Address (SIADDR)
Gateway IP Address (GIADDR)
Flags
Server Name (SNAME)64 bytes
Filename128 bytes
DHCP Options
Client Hardware Address (CHADDR)16 bytes
IPv4 DHCP Packet Format
DHCP Attack TypesDHCP Starvation Attack
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope
This is a Denial of Service DoS attack using DHCP leases
DHCP Discovery (Broadcast) x (Size of Scope)
DHCP Offer (Unicast) x (Size of DHCPScope)
DHCP Request (Broadcast) x (Size of Scope)
DHCP Ack (Unicast) x (Size of Scope)
Client
Gobbler
DHCP
Server
pe02393_
UPC
File Server_Updated2005
Countermeasures for DHCP AttacksDHCP Starvation Attack = Port Security
pe02393_
Gobbler uses a new MAC address to request a new DHCP lease
Restrict the number of MAC addresses on an port
Will not be able to lease more IP address then MAC addresses allowed on the port
In the example the attacker would get one IP address from the DHCP server
Client
Gobbler
DHCPServer
CatOSset port security 5/1 enableset port security 5/1 port max 1set port security 5/1 violation restrictset port security 5/1 age 2set port security 5/1 timer-type inactivityIOSswitchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
UPC
File Server_Updated2005
DHCP Attack TypesRogue DHCP Server Attack
File Server_Updated2005
Client
DHCP
Server
Rogue Server or Unapproved
laptop
DHCP Discovery (Broadcast)
DHCP Offer (Unicast) from Rogue Server
DHCP Request (Broadcast)
DHCP Ack (Unicast) from Rogue Server
pe02393_
UPC
File Server_Updated2005
DHCP Attack TypesRogue DHCP Server Attack
What can the attacker do if he is the DHCP server?
IP Address: 101010101Subnet Mask: 2552552550Default Routers: 1010101DNS Servers: 192168104, 192168105Lease Time: 10 days
Here Is Your Configuration
What do you see as a potential problem with incorrect information?Wrong Default GatewayAttacker is the gatewayWrong DNS serverAttacker is DNS server Wrong IP AddressAttacker does DOS with incorrect IP
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping
File Server_Updated2005
By default all ports in the VLAN are untrusted
Client
DHCP
Server
Rogue Server
laptop
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
DHCP Snooping UntrustedClient
Interface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 10 (pps)
IOSGlobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snooping
DHCP Snooping TrustedServer
or Uplink
BAD DHCP Responses:
offer, ack, nak
OK DHCP Responses: offer, ack, nak
Interface Commands
ip dhcp snooping trust
pe02393_
UPC
File Server_Updated2005
Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping
File Server_Updated2005
Table is built by “Snooping” the DHCP reply to the client
Entries stay in table until DHCP lease time expires
Client
DHCPServer
Rogue Server
laptop
Trusted
Untrusted
Untrusted
DHCP Snooping Enabled
BAD DHCP Responses: offer, ack, nak
OK DHCP Responses: offer, ack, nak
DHCP Snooping Binding Table
pe02393_
UPC
sh ip dhcp snooping binding
MacAddress              IpAddress        Lease(sec)   Type                   VLAN    Interface
--------------------------------------------------------------------------------
00:03:47:B5:9F:AD    10120410      193185          dhcp-snooping    4         FastEthernet3/18
File Server_Updated2005
Advanced Configuration DHCP Snooping
Not all operating system (Linux) re DHCP on link down
In the event of switch failure, the DHCP Snooping Binding Table can be written to bootflash, ftp, rcp, slot0, and tftp
This will be critical in the next section
ip dhcp snooping database tftp://1722616810/tftpboot/tulledge/ngcs-4500-1-dhcpdbip dhcp snooping database write-delay 60
Advanced Configuration DHCP Snooping
Gobbler uses a unique MAC for each DHCP request and Port Security prevents Gobbler
What if the attack used the same interface MAC address, but changed the Client Hardware Address in the request?
Port Security would not work for that attack
The switches check the CHADDR field of the request to make sure it matches the hardware MAC in the DHCP Snooping Binding table
If there is not a match, the request is dropped at the interface
Transaction ID (XID)
OP Code
Hardware
Type
Hardware
Length
HOPS
Your IP Address (YIADDR)
Seconds
Client IP Address (CIADDR)
Server IP Address (SIADDR)
Gateway IP Address (GIADDR)
Flags
Server Name (SNAME)64 bytes
Filename128 bytes
DHCP Options
Client Hardware Address (CHADDR)16 bytes
Note: some switches have this on by default, and others don’t; please check the documentation for settings
DHCP Rogue Server
If there are switches in the network that will not support DHCP Snooping, you can configure VLAN ACLs to block UDP Port 68
set security acl ip ROGUE-DHCP permit udp host 192021 any eq 68set security acl ip ROGUE-DHCP deny udp any any eq 68set security acl ip ROGUE-DHCP permit ip any anyset security acl ip ROGUE-DHCP permit udp host 101199 any eq 68
DHCP Server101199
Router192021
Will not prevent the CHADDR DHCP Starvation attack
UPC
File Server_Updated2005
Summary of DHCP Attacks
DHCP Starvation attacks can be mitigated by Port Security
Rogue DHCP servers can be mitigated by DHCP Snooping features
When configured with DHCP Snooping, all ports in the VLAN will be “Untrusted” for DHCP replies
Check default settings to see if the CHADDR field is being checked during the DHCP request
Unsupported switches can run ACLs for partial attack mitigation (can not check the CHADDR field)
DHCP Snooping Capacity
sh ip dhcp snooping binding
MacAddress              IpAddress        Lease(sec)   Type                   VLAN    Interface
--------------------------------------------------------------------------------
00:03:47:B5:9F:AD    10120410      193185          dhcp-snooping    4         FastEthernet3/18
All DHCP Snooping Binding tables have limits
All entries stay in the binding table until the lease runs out
If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removed
Building the Layers
Port Security prevents CAM Attacks and DHCP Starvation attacks
DHCP Snooping prevents Rogue DHCP Server attacks
DHCP
Snooping
Port Security
Agenda
Layer 2 Attack Landscape
Attacks and Counter measuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
ARP Function Review
Before a station can talk to another station it mustdo an ARP request to map the IP address to theMAC addressThis ARP request is broadcast using protocol0806
All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply
UPC
UPC
UPC
UPC
Who Is 10114?
I Am 10114MAC A
ARP Function Review
According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables
Anyone can claim to be the owner of any IP/MAC address they like
ARP attacks use this to redirect traffic
UPC
UPC
UPC
UPC
You Are  10111
MAC A
I Am  10111
MAC A
You Are  10111
MAC A
You Are  10111
MAC A
ARP Attack Tools
Many tools on the Net for ARP man-in-the-middle attacksDsniff, Cain & Abel, ettercap, Yersinia, etc
ettercaphttp://ettercapsourceforgenet/indexphpSome are second or third generation of ARP attack toolsMost have a very nice GUI, and is almost point and clickPacket Insertion, many to many ARP attack
All of them capture the traffic/passwords of applications FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, etc…
ARP Attack Tools
Ettercap in action
As you can see runs in Window, Linux, Mac
Decodes passwords on the fly
This example, telnet username/ password is captured
ettercap_demo5
ARP Attack Tools: SSH/SSL
Using these tools SSL/SSH sessions can be intercepted and bogus certificate credentials can be presented
Once you have excepted the certificate, all SSL/SSH traffic for all SSL/SSH sites can flow through the attacker
ARP Attack in Action
Attacker “poisons” the ARP tables
10111
MAC A
10112
MAC B
10113
MAC C
10112 Is Now MAC C
10111 Is Now MAC C
ARP 10111 Saying 10112 is MAC C
pe02393_
UPC
ARP 10112 Saying 10111 is MAC C
ARP Attack in Action
pe02393_
UPC
All traffic flows through the attacker
10111MAC A
Transmit/ReceiveTraffic to10111 MAC C
Transmit/Receive Traffic to10112 MAC C
10112
MAC B
10113
MAC C
10112 Is Now MAC C
10111 Is Now MAC C
ARP Attack Clean Up
10112 Is Now MAC B
pe02393_
UPC
Attacker corrects ARP tables entries
Traffic flows return to normal
10111 Is Now MAC A
ARP 10111 Saying 10112 Is MAC B
ARP 10112 Saying 10111 Is MAC A
10111MAC A
10112MAC B
10113
MAC C
Countermeasures to ARP Attacks: Dynamic ARP Inspection
Uses the DHCP Snooping Binding table information
Dynamic ARP InspectionAll ARP packets must match the IP/MAC Binding table entriesIf the entries do not match, throw them in the bit bucket
Is This Is My Binding Table?
NO!
None Matching ARPs in the Bit Bucket
10111MAC A
10112MAC B
10113MAC C
ARP 10111 Saying 10112 is MAC C
ARP 10112 Saying 10111 is MAC C
DHCP Snooping Enabled Dynamic ARP Inspection Enabled
pe02393_
UPC
Countermeasures to ARP Attacks: Dynamic ARP Inspection
Uses the information from the DHCP Snooping Binding table
Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, it not, traffic is blocked
sh ip dhcp snooping binding
MacAddress              IpAddress        Lease(sec)   Type                   VLAN    Interface
--------------------------------------------------------------------------------
00:03:47:B5:9F:AD    10120410      193185          dhcp-snooping    4         FastEthernet3/18
Countermeasures to ARP Attacks:Dynamic ARP Inspection
DHCP Snooping had to be configured so the binding table it built
DAI is configured by VLAN
You can trust an interface like DHCP Snooping
Be careful with rate limitingvaries between platforms
Suggested for voice is to set the rate limit above the default if you feel dial tone is important
Configuration of Dynamic ARP Inspection (DAI)
Countermeasures to ARP Attacks:Dynamic ARP Inspection
IOSGlobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snoopingip arp inspection vlan 4,104ip arp inspection log-buffer entries 1024ip arp inspection log-buffer logs 1024 interval 10Interface Commandsip dhcp snooping trustip arp inspection trust
IOSInterface Commandsno ip arp inspection trust (default)ip arp inspection limit rate 15(pps)
Dynamic ARP Inspection Commands
Countermeasures to ARP Attacks:Dynamic ARP Inspection
sh log:
4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2
4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disable state
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183([0003472d8b0f/10101062/000000000000/1010102/12:19:27 UTC Wed Apr 19 2000])
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183([0003472d8b0f/10101062/000000000000/1010103/12:19:27 UTC Wed Apr 19 2000])
Error Messages in Show Log
Non DHCP Devices
Can use Static bindings in the DHCP Snooping Binding table
IOSGlobal Commandsip source binding 000000000001 vlan 4 10010200 interface fastethernet 3/1
IOSShow Commandsshow ip source binding
Show static and dynamic entries in the DHCP Snooping Binding table is different
Binding Table Info
No entry in the binding tableno traffic!
Wait until all devices have new leases before turning on Dynamic ARP Inspection
Entrees stay in table until the lease runs out
All switches have a binding size limit3000 switches2500 entrees 4000 switches4000 entrees (6000 for the SupV-10GE)6000 switches16,000 entrees
Summary of ARP Attacks
Dynamic ARP Inspection prevents ARP attacks by intercepting all ARP requests and responses
DHCP Snooping must be configured first, otherwise there is no binding table for dynamic ARP Inspection to use
The DHCP Snooping table is built from the DHCP request, but you can put in static entriesIf you have a device that does not DHCP, but you would like to turn on Dynamic ARP Inspection, you would need a static entry in the table
More ARP Attack Information
Some IDS systems will watch for an unusually high amount of ARP traffic
ARPWatch is freely available tool to track IP/MAC address pairingsCautionyou will need an ARPWatch server on every VLAN Hard to manage and scaleYou can still do static ARP for critical routers and hosts (administrative pain)
Building the Layers
Port security prevents CAM attacks and DHCP Starvation attacks
DHCP snooping prevents rogue DHCP server attacks
Dynamic ARP inspection prevents current ARP attacks
DAI
DHCP
Snooping
Port Security
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Spoofing Attacks
MAC spoofing If MACs are used for network access an attacker can gain access to the networkAlso can be used to take over someone’s identity already on the network
IP spoofingPing of deathICMP unreachable stormSYN floodTrusted IP addresses can be spoofed
Spoofing Attack: MAC
Attacker sends packets with the incorrect source  MAC address
If network control is by MAC address, the attacker now looks like 10112
10111MAC A
10112MAC B
10113
MAC C
Received Traffic
Source Address
10113
Mac B
Traffic Sent with MAC B Source
pe02393_
UPC
Spoofing Attack: IP
Attacker sends packets with the incorrect sourceIP Address
Whatever device the packet is sent to will never reply to the attacker
10111MAC A
10112MAC B
10113MAC C
Received TrafficSource IP10112Mac C
Traffic Sent with IP 10112Source
pe02393_
UPC
Spoofing Attack: IP/MAC
Attacker sends packets with the incorrect source IP and MAC address
Now looks like a device that is already on the network
10111
MAC A
10112
MAC B
10113
MAC C
Received Traffic
Source IP
10112
Mac B
Traffic Sent with IP10112MAC B Source
pe02393_
UPC
Countermeasures to Spoofing Attacks:IP Source Guard
pe02393_
UPC
Uses the DHCP Snooping Binding Table Information
IP Source GuardOperates just like Dynamic ARP Inspection, but looks at every packet, not just ARP Packet
Is This Is My Binding Table?
NO!
Non Matching Traffic Dropped
10111MAC A
10113MAC C
Received Traffic Source IP 10112
Mac B
10113
MAC C
Traffic Sent with
IP 10113
Mac B
Traffic Sent with IP  10112  
Mac C
DHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled
10112
MAC B
Countermeasures to Spoofing Attacks:IP Source Guard
Uses the information from the DHCP Snooping Binding table
Looks at the MacAddress and IpAddress fields to see if the traffic from the interface is in the binding table, it not, traffic is blocked
sh ip dhcp snooping bindingMacAddress              IpAddress        Lease(sec)   Type                   VLAN    Interface--------------------------------------------------------------------------------00:03:47:B5:9F:AD    10120410      193185          dhcp-snooping    4         FastEthernet3/18
Countermeasures to Spoofing Attacks:IP Source Guard
Configuration of IP Source Guard
DHCP Snooping had to be configured so the binding table it built
IP Source Guard is configured by port
IP Source Guard with MAC does not learn the MAC from the device connected to the switch, it learns it from the DHCP Offer
There are very few DHCP servers that support Option 82 (relay information option) for DHCP
If you do not have an Option 82 enabled DHCP you most likely will not get an IP address on the client
Note: There Are at Least Two DHCP Servers That Support Option 82 Field Cisco Network Registrar®and Avaya
Clear Up Source Guard
MAC and IP checking can be turned on separately or togetherFor IPWill work with the information in the binding tableFor MACMust have an Option 82 enabled DHCP server (Microsoft does not support option 82)Have to Change all router configuration to support Option 82All Layer 3 devices between the DHCP request and the DHCP server will need to be configured to trust the Option 82 DHCP Requestip dhcp relay information trust
Most enterprises do not need to check the MAC address with IPSGThere are no known, good attacks that can use this information in an enterprise network
Countermeasures to Spoofing Attacks:IP Source Guard
IOS
Global Commands
ip dhcp snooping vlan 4,104
ip dhcp snooping information option
ip dhcp snooping
Interface Commands
ip verify source vlan dhcp-snooping
port-security
IP Source Guard Configuration IP/MAC Checking Only (Opt 82)
IOSGlobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snoopingInterface Commandsip verify source vlan dhcp-snooping
IP Source Guard Configuration IP Checking Only (no Opt  82)What most Enterprises Will Run
IP Source Guard
Building the Layers
Port security prevents CAM attacks and DHCP Starvation attacks
DHCP Snooping prevents Rogue DHCP Server attacks
Dynamic ARP Inspection prevents current ARP attacks
IP Source Guard prevents IP/MAC Spoofing
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Spanning Tree Basics
STP Purpose: to maintain loop-free topologies in a redundant Layer 2 infrastructure
STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no “payload”
Avoiding loops ensures broadcast traffic does not become storms
A ‘Tree-Like’ Loop-Free Topology Is Established from the Perspective of the Root Bridge
A Switch Is Elected as RootRoot Selection Is Based on the Lowest Configured Priority of any Switch 065535
X
UPC
UPC
Root
Spanning Tree Attack Example
Access Switches
Root
Root
Blocked
pe02393_
Send BPDU messages to become root bridge
Spanning Tree Attack Example
Send BPDU messages to become root bridgeThe attacker then sees frames he shouldn’tMITM, DoS, etc all possibleAny attack is very sensitive to the original topology, trunking, PVST, etcAlthough STP takes link speed into consideration, it is always done from the perspective of the root bridge  Taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host)
Access Switches
Root
Root
Root
Blocked
pe02393_
STP Attack Mitigation
Try to design loop-free topologies where ever possible, so you do not need STP
Don’t disable STP, introducing a loop would become another attack
BPDU Guard
Should be run on all user facing ports and infrastructure facing portsDisables ports using portfast upon detection of a BPDU message on the portGlobally enabled on all ports running portfastAvailable in Catalyst OS 541 for Cat 2K, 4K, 5K, and 6K; 120XE for native Cisco IOS 6K; 121(8a)EW for 4K IOS; 121(4)EA1 for 3550; 121(6)EA2 for 2950
CatOS> (enable)set spantree portfast bpdu-guard enable IOS(config)#spanning-tree portfast bpduguard
STP Attack Mitigation
Root GuardDisables ports who would become the root bridge due to their BPDU advertisementConfigured on a per port basisAvailable in Catalyst OS 611 for Catalyst 29XX, 4K, 5K, and 6K; 120(7) XE for native Cisco IOS 6K, 121(8a)EW for 4K Cisco IOS; 29/3500XL in 120(5)XU; 3550 in 121(4)EA1; 2950 in 121(6)EA2
CatOS> (enable) set spantree guard root 1/1  IOS(config)#spanning-tree guard root (or rootguard)
Cisco Discovery Protocol (CDP)
Notnormally an attack
Runs at Layer 2 and allows Cisco devices to chat with one another
Can be used to learn sensitive information about the CDP sender (IP address, software version, router model …)
CDP is in the clear and unauthenticated
Consider disabling CDP, or being very selective in its use in security sensitive environments
Used by Cisco IPT for Network Management
Note: there was a reason Cisco developed CDP, some Cisco apps make use of it!
CatOS> (enable) set cdp disable <mod>/<port> | all
IOS(config)#no cdp run
IOS(config-if)#no cdp enable
CDP Attacks
Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus CDP packets
If you need to run CDP, be sure to use Cisco IOS code with minimum version numbers: 122(36)B, 122(41)S, 122(36)PB, 122(36)T, 121(101), 122(36) or CatOS code 63, 55, or 71 and later
Problem was due to improper memory allocation for the CDP process (basically there was no upper limit)
For more information:http://wwwciscocom/warp/public/707/cdp_issueshtmlhttp://wwwkbcertorg/vuls/id/139491
Switch Management
Management can be your weakest linkAll the great mitigation techniques we talked about aren’t worth much if the attacker telnets into your switch and disables them
Most of the network management protocols we know and love are insecure (syslog, SNMP, TFTP, Telnet, FTP, etc)
Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc), where impossible, consider out of band (OOB) managementPut the management VLAN into a dedicated non-standard VLAN where nothing but management traffic residesConsider physically back-hauling this interface to your management network
When OOB management is not possible, at least limit access to the management protocols using the “set ip permit” lists on the management protocols
SSH is available on Catalyst 6K with Catalyst OS 61 and Catalyst 4K/29XXG with Catalyst OS 63; 3550 in 121(11)EA1; 2950 in 121(12c)EA1; Cisco IOS 6K 121(5c)E12; IOS 4K in 121(13)EW
Agenda
Layer 2 Attack Landscape
Attacks and Counter MeasuresVLAN HoppingMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks
Summary
Building the Layers
Port security prevents CAM attacks and DHCP Starvation attacks
DHCP snooping prevents Rogue DHCP Server attacks
Dynamic ARP Inspection prevents current ARP attacks
IP Source Guard prevents IP/MAC Spoofing
Layer 2 Security Best Practices (1/2)
Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc)
Always use a dedicated VLAN ID for all trunk ports
Be paranoid: do not use VLAN 1 for anything
Set all user ports to non trunking (unless you are Cisco VoIP)
Deploy port-security where possible for user ports
Selectively use SNMP and treat community strings like root passwords
Have a plan for the ARP security issues in your network (ARP inspection, IDS, etc)
Layer 2 Security Best Practices (2/2)
Enable STP attack mitigation (BPDU Guard, Root Guard)
Decide what to do about DHCP attacks (DHCP Snooping, VACLs)
Use MD5 authentication for VTP
Use CDP only where necessarywith phones it is useful
Disable all unused ports and put them in an unused VLAN
All of thePreceding Features Are Dependent on Your Own Security Policy
Q and A
LIG00724