Guard against typical spoofing and layer-2 attacks on CISCO switches

Source: Internet
Author: User
Tags resolve ip address

1. Prevention of MAC/CAM attacks
1.1principles and hazards of MAC/CAM attacks
1.2 typical cases of MAC/CAM attacks
1.3 use port security feature to prevent MAC/CAM attacks
1.4 Configuration
1.5 use other technologies to prevent MAC/CAM attacks

2. DHCP attack prevention
2.1 FAQs about DHCP management:
2.2 DHCP snooping Technology

Surgery Overview
2.3 Basic defense
2.4 Advanced Defense

3. Principles and prevention of ARP spoofing/mitm (man-in-the-middle) Attacks
3.1 mitm (man-in-the-middle) attack principles
3.2 attack instances
3.3 defense methods
3.4 configuration example
3.5 effect after DAI Configuration:

4. Protection against IP/MAC Spoofing
4.1 types and objectives of common spoofing attacks
4.2 attack instances
4.3ip/MAC spoofing prevention
4.4 configuration example:

5. New Ideas of IP address management and virus prevention
5.1ip address management
5.2 use DHCP snooping, Dai, IP source guard technology to solve virus problems

The attack and spoofing behavior mentioned in this article mainly targets the link layer and network layer. In the actual network environment, there are two sources: Human implementation, viruses, or worms. Manual implementation usually refers to the use of some hacker tools to scan and sniff the network, obtain the management account and related passwords, and install trojans on the network to further steal confidential files. Attacks and spoofing are often concealed and quiet, but they pose great harm to enterprises with high information security requirements. However, attacks from Trojans, viruses, and worms often deviate from the attack and cheat itself. Sometimes, they are very direct, this will increase network traffic, cause high CPU utilization, generate tree loops on Layer 2 until the network is paralyzed.

Currently, this type of attack and spoofing tools are very mature and easy to use. At present, there are still many deficiencies in the prevention of enterprise deployment, and there is a lot of work to do. Cisco has mature solutions for such attacks, mainly based on the following key technologies:

• Port Security Feature

• DHCP snooping

• Dynamic ARP inspection (DAI)

• IP source guard

The following sections mainly describe how to combine and deploy the above technologies on CISCO switches for typical Layer 2 attacks and spoofing, to prevent man-in-the-middle attacks, MAC/CAM attacks, DHCP attacks, and address spoofing in the exchange environment, more importantly, address management can be simplified through the deployment of the above technologies, track user IP addresses and corresponding switch ports directly to prevent IP address conflicts. At the same time, it can effectively trigger alarms and isolate most viruses with features such as address scanning and spoofing that pose great harm to L2 Networks.

1 Prevention of MAC/CAM attacks

1.1principles and hazards of MAC/CAM attacks

The vswitch actively learns the MAC address of the client and creates and maintains a table corresponding to the port and MAC address to create an exchange path. This table is what we call the cam table. The cam table size is fixed, and the cam table sizes of different switches are different. MAC/CAM attacks refer to attacks that use tools to generate spoofing Mac and quickly fill up the cam table. After the switch cam table is filled up, the switch processes packets sent through the switch in broadcast mode, in this case, attackers can exploit various sniffing attacks to obtain network information. When the cam table is full, the traffic is sent to all interfaces in a flood mode, which means that the traffic on the trunk interface is also sent to all interfaces and adjacent switches, resulting in excessive load on the switch, network slowness, packet loss, and even paralysis.

1.2 typical cases of MAC/CAM attacks

The SQL worm that once posed a major threat to the network uses the multicast target address to construct a fake target Mac to fill the switch cam table. Shows the features:

1.3 use port security feature to prevent MAC/CAM attacks

Cisco port security feature can prevent Mac and MAC/CAM attacks. Port security can be configured to control:

• Maximum number of MAC addresses that can be passed on the port

• What MAC addresses are learned or used on the port?

• Violation handling for Mac processing exceeding the specified number

Which MAC addresses are learned on the port or can be manually defined through static mode or automatically learned on the switch. The vswitch dynamically learns the Mac port until the number of specified MAC addresses is reached. After the vswitch is shut down, it learns again. Sticky port security is a new technology. The switch writes the learned MAC address to the port configuration. After the switch is restarted, the configuration still exists.

There are generally three ways to process Mac processing that exceeds the specified number (the switch model will be different ):

• Shutdown. This method has the strongest protection capability, but may cause management troubles in some cases. For example, if a device has a virus, the Virus intermittently spoofs the source MAC to send a message on the network.

• Protect. Discard illegal traffic without warning.

• Restrict. Discard illegal traffic and give an alarm. The above comparison shows that the CPU usage of the switch increases but does not affect the normal use of the switch. This method is recommended.

1.4 Configuration

Port-security configuration options:

Switch (config-If) # switchport port-security?

Aging port-security aging commands

Mac-address secure MAC address

Maximum Max secure addresses

Violation security violation Mode

Configure the maximum number of MAC addresses for Port-security, which violates the processing method and recovery method.

Cat4507 (config) # int fastethernet 3/48

Cat4507 (config-If) # switchport port-Security

Cat4507 (config-If) # switchport port-Security Maximum 2

Cat4507 (config-If) # switchport port-security violation Shutdown

Cat4507 (config) # errdisable recovery cause encrypted cure-Violation

Cat4507 (config) # errdisable recovery interval 30

Mac learned by configuring sticky port-Security

Interface fastethernet3/29

Switchport Mode Access

Switchport port-Security

Switchport port-security maximum 5

Switchport port-security Mac-address sticky

Switchport port-security Mac-address sticky 000b. db1d. 6ccd

Switchport port-security Mac-address sticky 000b. db1d. 6cce

Switchport port-security Mac-address sticky 000d. 6078.2d95

Switchport port-security Mac-address sticky 000e. 848e. ea01

1.5 use other technologies to prevent MAC/CAM attacks

Besides port security, the Dai technology can also prevent MAC address spoofing.

2. DHCP attack prevention

2.1 FAQs about DHCP management:

DHCP server can automatically set network parameters such as network IP address, mask, gateway, DNS, and wins for users, which simplifies network settings and improves management efficiency. However, there are also some other problems with the use of DHCP management. Common problems include:

• Impersonate a DHCP server.

• DoS attacks against DHCP servers.

• Some users randomly specify addresses, resulting in network address conflicts.

Because of the DHCP operating mechanism, there is usually no authentication mechanism between the server and the client. If there are multiple DHCP servers on the network, the network will become messy. It is very common for users to accidentally configure the DHCP server to cause network chaos, which is the simplicity of intentional human destruction. Generally, hackers use up the IP addresses allocated by normal DHCP servers and impersonate legitimate DHCP servers. The most concealed and dangerous method is that hackers use the impersonating DHCP server to assign users a modified DNS server, this attack is very bad when users are guided to defraud user accounts and passwords on pre-configured fake financial websites or e-commerce websites without notice.

For DoS attacks on DHCP server, the port security and the Dai technology mentioned later can be used. For some users, the Dai and IP source guard technologies mentioned later can also be used to cause network address conflicts. This section focuses on the methods and technologies of DHCP spoofing.

2.2 DHCP snooping technology Overview

DHCP snooping is a security feature of DHCP. It filters untrusted DHCP information by creating and maintaining a DHCP snooping binding table. Such information refers to DHCP information from untrusted areas. The DHCP snooping binding table contains the user MAC address, IP address, lease period, VLAN-ID interface and other information of the untrusted area, as shown in the following table:

Cat4507 # SH ip DHCP snooping binding

Macaddress IPaddress lease (SEC) type VLAN Interface

--------------------------------------------------------------------------

00: 0d: 60: 2D: 45: 0d 10.149.3.13 600735 DHCP-snooping 100 gigabitethernet1/0/7

This table not only solves the problem of IP address and port tracking and locating for DHCP users, but also provides dynamic ARP detection da and IP source guard for user management convenience.

2.3 Basic defense

First, define the trusted port and untrusted port on the vswitch, intercept and sniff DHCP packets from untrusted ports, and drop abnormal DHCP packets from these ports, as shown in:

The basic configuration example is as follows:

IOS global command:

Ip dhcp snooping VLAN 100,200/* defines which VLANs enable DHCP sniffing

Ip dhcp snooping

Interface commands

Ip dhcp snooping Trust

No ip dhcp snooping Trust (default)

Ip dhcp snooping limit rate 10 (PPS)/* to some extent prevents DHCP Server Denial/* Service Attacks

Manually add a DHCP binding table

Ip dhcp snooping binding 1.1.1 VLAN 1 1.1.1.1 interface gi1/1 expiry 1000

Export the DHCP binding table to the TFTP Server

Ip dhcp snooping database TFTP: // 10.1.1. 1/directory/File

Note that the DHCP binding table must have a local storage device (bootfalsh, slot0, FTP, TFTP) or be exported to the specified TFTP server. Otherwise, the DHCP binding table is lost after the switch is restarted, no DHCP request is initiated for a device that has applied for an IP address during the lease period. If the switch has configured the Dai and IP source guard technologies described below, these users will not be able to access the network.

2.3 Advanced Defense

The port security of the vswitch sets a unique MAC address for each specified port of the DHCP request. Usually, the DHCP server determines the MAC address of the client through the chaddr segment in the packet of the DHCP request, generally, this address is the same as the real IP address of the client. However, if an attacker modifies the chaddr In the DHCP packet without modifying the MAC address of the client, port security does not work if DoS attacks are performed, DHCP sniffing technology can check the chaddr field in the DHCP request message to determine whether the field matches the DHCP sniffing table. This function is configured by default on some vswitches and some vswitches need to be configured. For details, refer to the related vswitch configuration documents.

3. Principles and prevention of ARP spoofing/mitm (man-in-the-middle) Attacks

3.1 mitm (man-in-the-middle) attack principles

According to the ARP protocol design, in order to reduce excessive ARP Data Communication on the network, a host, even if the received ARP response is not obtained by its own request, it will also insert it into its own ARP cache table, which may cause ARP spoofing. If a hacker wants to listen to the communication between two hosts in the same network (even through a switch), the hacker will send an ARP response packet to the two hosts respectively, let both hosts mistakenly think that the MAC address of the other side is the host where the third-party hacker is located. In this way, the two sides seem to have a "direct" communication connection, in fact, they are all carried out indirectly through the host where the hacker is located. On the one hand, hackers get the desired communication content, and on the other hand, they only need to modify some information in the data packet to successfully complete the forwarding. In this method, the hacker's host does not need to set the network adapter's hybrid mode, because the packets of both parties are physically sent to the hacker's transit host.

For example, assume that three hosts in the same LAN are connected through a vswitch:

Host a: the IP address is 192.168.0.1, And the MAC address is 01: 01: 01: 01: 01;

Host B: the IP address is 192.168.0.2, And the MAC address is 02: 02: 02: 02: 02;

Host C: the IP address is 192.168.0.3 and the MAC address is 03: 03: 03: 03: 03: 03.

Host B spoofing a and c by sending fake ARP response packets, as shown in

After receiving the ARP response from host B, host a should know:

Packets sent to 192.168.0.3 should be sent to the host with the MAC address of 020202020202. The host C also knows that packets sent to 192.168.0.1 should be sent to the host with the MAC address of 020202020202. In this way, both A and C think that the MAC address of the other side is 020202020202. In fact, this is the result of host B. Of course, because ARP cache table items are dynamically updated, the dynamically generated ing has a life cycle, generally two minutes. If no new information is updated, ARP ing items are automatically removed. Therefore, B has another "task", which is to continuously send such a false ARP response packet to A and C, keep the ing table items that have been poisoned in the ARP cache.

Now, if a and c need to communicate, the packets actually sent to each other will first arrive at host B. If B does not perform further processing, the communication between A and C cannot be established normally, B cannot achieve the purpose of "sniffing" the communication content. Therefore, B must modify the packet received by "error" and then forward it to the correct destination, it is nothing more than replacing the target MAC address and source MAC address. In this way, in the view of A and C, the packets sent to each other reach the other party directly, but in B's view, they assume the role of a "third party. This method is also called "Man-in-the-middle. .

3.2 attack instances

Currently, tools compiled using ARP principles are very easy to use, these tools can directly sniff and analyze the passwords and transmitted content of over 30 applications, including FTP, POP3, SMB, SMTP, HTTP/https, ssh, and MSN. The following is the Telnet process captured by tools during the test. The captured content includes the Telnet password and all the uploaded content:

Not only the data of the above specific applications, attackers can send the monitoring data directly to sniffer and other sniffing devices, so as to monitor all the data of the spoofed users.

Some people use ARP principles to develop network management tools to cut the connection of specified users at any time. These tools can easily make the network unstable, and usually these faults are difficult to troubleshoot.

3.3 defense methods

Cisco dynamic ARP inspection (DAI) provides IP address and MAC Address binding on the switch, and dynamically establishes the binding relationship. Dai is based on the DHCP snooping binding table. For servers that do not use DHCP, you can use static ARP access-list. The Dai configuration is for VLANs. You can enable or disable Dai for interfaces in the same VLAN. You can use Dai to control the number of arp request packets on a port. These technologies can be used to prevent man-in-the-middle attacks.

3.3 configuration example

IOS global command:

Ip dhcp snooping VLAN 100,200

No ip dhcp snooping information Option

Ip dhcp snooping

Ip arp inspection VLAN 100,200/* defines which VLANs are used for ARP packet Detection

Ip arp inspection log-buffer entries 1024

IP address ARP inspection log-buffer logs 1024 interval 10

IOS interface command:

Ip dhcp snooping Trust

Ip arp inspection Trust/* defines which interfaces are trusted interfaces, such as network device interfaces and trunk interfaces.

Ip arp inspection limit rate 15 (PPS)/* defines the number of ARP packets per second on the Interface

If no DHCP device is used, use the following method:

ARP access-list static-ARP

Permit IP host 10.66.227.5 Mac host 0009.6b88.d387

Ip arp inspection filter static-arp vlan 201

3.3 effect after DAI Configuration:

• On interfaces configured with the Dai technology, the user end cannot access the network using the specified address.

• Because Dai checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, man-in-the-middle attacks cannot be implemented and the attack tool becomes invalid. The following table lists the switch warnings for man-in-the-middle attacks:

3w0d: % SW_DAI-4-DHCP_SNOOPING_DENY: 1 invalid Arps (req) on fa5/16, VLAN 1. ([000b. db1d. 6ccd/192.168.1.200/2.16.0000.0000/192.168.1.2

• Due to speed restrictions on arp request packets, the client cannot scan or detect IP addresses that are considered or viruses. If such behavior occurs, the switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:

3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on fa5/30. ***** alert

3w0d: % PM-4-ERR_DISABLE: ARP-inspection error detected on fa5/30, putting fa5/30 in err-Disable state ***** disconnect the port

I49-4500-1 #... Sh int F.5/30

Fastethernet5/30 is down, line protocol is down (ERR-disabled)

Hardware is Fast Ethernet port, address is 0002. b90e. 3f 4d (BIA 0002. b90e. 3f 4d)

MTU 1500 bytes, BW 100000 kbit, dly 100 USEC,

Reliability 255/255, txload 1/255, rxload 1/255

I49-4500-1 #......

• After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network, you can use the IP source guard technology described below to prevent such changes. The following table lists the alarms for manually specified IP addresses:

3w0d: % SW_DAI-4-DHCP_SNOOPING_DENY: 1 invalid Arps (req) on fa5/30, VLAN 1. ([000d. 6078.2d95/192.168.1.100/2.16.0000.0000/192.168.1.100/01:52:28 UTC Fri Dec 29 2000])

4 Protection against IP/MAC Spoofing

4.1 types and objectives of common spoofing attacks

Common spoofing types include Mac spoofing, IP spoofing, and IP/MAC spoofing. The purpose is generally to forge an identity or obtain privileges for IP/MAC. Currently, many attacks are initiated, such as ping of death, SYN flood, and ICMP unreacheable storm. In addition, virus and Trojan attacks are also typical. The following is an example of Trojan attacks.

4.2 attack instances

The attack is a counterfeit source address attack, and the target address is the public network DNS server. The direct purpose is to make the DNS server respond to and wait for the counterfeit source address, resulting in a DDoS attack, and expand the attack effect. The attack generates tens of thousands of packets per second, and the mid-range switch is paralyzed in 2 minutes. As a result, the indirect consequences are very large.

 

4.3ip/MAC spoofing prevention

The IP source guard technology supports only layer-2 port configurations on vswitches. the following mechanism can be used to prevent IP/MAC spoofing:

• IP source guard binds table information using DHCP sooping.

• It is configured on the vswitch port and takes effect for this port.

• The operating mechanism is similar to Dai, but IP source guard not only checks ARP packets, but also all packets of ports that have passed the defined IP source guard check must be detected.

• IP source guard checks whether the IP address and MAC address used by the interface are in the DHCP sooping binding table. If not, the traffic is blocked. Note: To check the MAC address, the DHCP server must support option 82 and the router must support option 82.

Configure IP source guard on the vswitch:

• You can filter out invalid IP addresses, including those that are intentionally modified by the user and caused by viruses and attacks.

• Resolve IP address conflicts.

• Provides a dynamic table for creating IP + Mac + port and binding relationships, for servers that do not use DHCP or in some special cases, you can use global commands to manually add tables related to the binding relationship.

• The interface configured with IP source guard initially blocks all non-DHCP traffic.

• It cannot prevent man-in-the-middle attacks ".

You can also use urpf Technology for IP Spoofing on the vro.

4.4 configuration example:

IP + mac on the detection Interface

IOS global configuration command:

Ip dhcp snooping VLAN 12,200

Ip dhcp snooping information Option

Ip dhcp snooping

Interface configuration command:

IP verify source vlan dhcp-snooping port-Security

Switchport Mode Access

Switchport port-Security

Switchport port-security limit rate invalid-source-Mac n

/* The speed of the source MAC can be learned on the control port, which is meaningful only when both IP and Mac are detected.

IP address on the detection Interface

IOS global configuration command

Ip dhcp snooping VLAN 12,200

No ip dhcp snooping information Option

Ip dhcp snooping

Interface configuration command:

IP verify source vlan dhcp-snooping

Static configuration without DHCP

IOS global configuration command:

Ip dhcp snooping VLAN 12,200

Ip dhcp snooping information Option

Ip dhcp snooping

IP source binding 0009.6b88.d387 VLAN 212 10.66.227.5 interface gi4/5

5 New Ideas of IP address management and virus prevention

5.1ip address management

In summary, by configuring CISCO switches, we have not only solved some typical attack and virus prevention problems, but also provided new ideas for traditional IP address management.

The above technologies solve the traditional problem of using DHCP servers to manage client IP addresses:

• Intentionally not manually specifying static IP addresses and DHCP allocation address conflicts

• Configure the DHCP server

• Problems with static IP addresses

• Do not use the assigned IP address to conflict with the server or other addresses

• It is not easy to locate the corresponding table of IP addresses and specific vswitch ports

Important servers and computers with static addresses can be used to statically bind IP addresses + Mac, IP addresses + Mac + port, manually configure Dai and IP source guard to bind table items to protect these devices, it also prevents attacks from these devices.

With the explosive growth of Network viruses, more and more users begin to pay attention to PC management, users are concerned about who can access the network, what can be done after access, what has been done, and what AAA authentication we often call, in addition to these users, they want to quickly locate the switch, port, IP address, and Mac on which the user logs in. In this way, "AAA + A" (authenticate, authorize, account, address.

Through the above configuration, we can locate the user at the network level. With 802.1x authentication, We can authorize the user at the network level based on the user's identity to achieve "AAA + ".

Furthermore, we need to audit the conditions on the computers used by users, such as system patches, installed anti-virus software, and patches. Cisco network access control (NAC) can be considered.

5.2 use DHCP snooping, Dai, IP source guard technology to solve virus problems

Because most of the Network viruses that are harmful to LAN have typical characteristics such as spoofing and scanning, Fast Packet sending, and a large number of ARP requests, the above technology can automatically cut off the virus source to a certain extent, timely alert to accurately locate the virus source.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.