Analysis of the reasons for the switch being attacked

The IDC report shows that the switch market has maintained a high growth momentum in recent years, and the market is expected to reach $1.51 billion by 2009. Switch in the enterprise network occupies an important position, is usually the core of the entire network, this position makes it become the focus of hacker intrusion and virus rampant, in order to protect their own network security, enterprises need to have a full understanding of the switch vulnerabilities on the local area network. The following are five ways to exploit the switch vulnerabilities.

VLAN Jump attack

A virtual local area network (VLAN) is a method of segmenting broadcast domains. VLANs are also often used to provide additional security for the network, because computers on one VLAN cannot talk to users on another VLAN without explicit access. However, the VLAN itself is not enough to protect the environment, malicious hackers through the VLAN jump attack, even unauthorized, can jump from one VLAN to another VLAN.

VLAN jump attacks (VLAN hopping) rely on Dynamic relay Protocol (DTP). If there are two interconnected switches, the DTP can negotiate between the two to determine whether they want to be 802.1Q relays, and the negotiation process is done by checking the configuration state of the ports.

VLAN jump attacks make full use of DTP, in the VLAN jump attack, hackers can deceive the computer, posing as another switch to send false DTP negotiation messages, announced that he wants to be a relay; When the real switch receives this DTP message, it thinks it should enable the 802.1Q relay function, and once the relay function is enabled, the flow of information through all VLANs is sent to the hacker's computer. Figure 1 illustrates this process.

After the relay is established, the hacker can continue to probe the flow of information, and can also specify which VLAN to send the attack traffic to by adding a 802.1Q message to the frame.

Spanning Tree attack

The Spanning Tree Protocol (STP) prevents redundant switched environments from appearing in loops. If the network has a circuit, it will become congested, resulting in broadcast storms, resulting in Mac table inconsistencies, resulting in the network crash.

All switches that use STP share information through the Network Bridge Protocol Data Unit (BPDU), which is sent every two seconds. BPDU When the switch sends the BPDU, it contains a label named the Bridge ID, which combines configurable priorities (the default value is 32768) and the basic MAC address of the switch. The switch can send and receive these BPDU to determine which switch has the lowest network Bridge ID, and that switch with the lowest bridge ID becomes the root bridge (root bridges).

A bridge is like a community grocery in a small town, where every town needs a grocery store, and every citizen needs to determine the best route to the grocery store. Routes that are longer than the best route are not used unless the main channel is blocked.

The root Network bridge works very much the same way. Each of the other switches determines the best route to return to the root Network Bridge, which is based on the cost, and the cost depends on the value allocated for the bandwidth. If any other route finds out that the blocking mode does not form a loop (for example, if there is a problem with the main route), they will be set up as blocking mode.

The malicious hacker exploits the STP to launch a denial of service (DoS) attack. If a malicious hacker connects a computer to more than one switch and then sends a well-designed BPDU with a low bridge ID, it can deceive the switch so that it thinks it is a root network bridge, which causes STP to converge (Reconverge), causing the loop to cause the network to crash.

Mac table Flood attack

The switch works by recording the Mac source address as it enters the switch, and the MAC address is associated with the port that the frame enters, so the information flow to that MAC address will be sent only through that port. This improves bandwidth utilization because the information flow does not need to be sent from all ports, but only from those ports that need to be received.

The MAC address is stored in content addressable memory (CAM), which is a 128K-sized reserved memory, designed to store the MAC address for quick querying. If a malicious hacker sends a large number of packets to cam, it causes the switch to start sending a large number of streams of information everywhere, thereby burying the hidden danger and even causing the switch to crash in a denial-of-service attack.

ARP attack

ARP (Address resolution Protocol) spoofing is a common tactic used in session hijacking attacks. The Address Resolution Protocol (ARP) uses layer 2nd physical MAC addresses to map layer 3rd logical IP addresses, and sends ARP requests if the device knows the IP address but does not know the MAC address of the requested host. ARP requests are usually sent as broadcasts so that all hosts can receive them.

A malicious hacker can send a spoofed ARP reply to get the flow of information destined for another host. Figure 2 shows an ARP spoofing process in which ARP requests are sent as broadcast frames to obtain a legitimate user's MAC address. Assuming that the hacker Jimmy is also on the web, he is trying to get the information sent to this legitimate user, the hacker Jimmy cheats the ARP response, claiming that he is the owner of the IP address for 10.0.0.55 (MAC address is 05-1c-32-00-a1-99), Legitimate users will also respond with the same MAC address. As a result, the switch has two ports associated with the Mac table address on the Mac's surface, and all the frames sent to the MAC address are sent to both the legitimate user and the hacker Jimmy.

VTP attack

VLAN Relay Protocol (Vtp,vlan Trunk Protocol) is a management protocol that reduces the number of configurations in an Exchange environment. In the case of VTP, switches can be VTP servers, VTP clients, or VTP transparent switches, which focus on VTP servers and VTP clients. Each time a user configures changes to a switch working in VTP server mode, either adding, modifying, or removing the VLAN,VTP configuration version number increases 1,VTP The client is aware of synchronizing with the VTP server after seeing that the configuration version number is larger than the current version number.

A malicious hacker can use VTP to remove all the VLANs on the network (except the default VLAN) so that he can go to the same VLAN as every other user. However, the user may still be on a different network, so a malicious hacker needs to change his IP address to get into the same network as the host he wants to attack.

A malicious hacker can make the most of VTP by connecting to the switch and building a relay between its own computer and the switch. Hackers can send VTP messages to a configuration version number higher than the current VTP server, which causes all switches to sync with a malicious hacker's computer, removing all Non-default VLANs from the VLAN database.