LAN Security-mac Flood/spoof

Originally published in: 2010-09-22

reprinted to cu to: 2012-07-21

I've seen Qinko's LAN Security video before. But after looking at the actual work rarely used ( Referring to my personal work environment, ashamed Ah ... ) , a long time, a lot of technical details of things will be forgotten. This period of time to see, look at the same time will make a note, both to deepen the impression and easy to find later.

1. LAN Security for Mac Flood/spoof attacks

Unknown Unicast flooding:

The switch receives a unicast packet, but Cam The table has no purpose mac all ports except the ingress of the broadcast domain, which can cause non-purpose mac The endpoint intercepts the packet, potentially unsafe.

The default switch is for unicast packets to be broadcast. . . Off function in interface mode:switchport block Unicast/multicast

Flood:

of the Switch Cam table capacity must be designed for the different levels of the switch Cam the table capacity is sufficient. mac flooding attack manufactures a large number of mac preemption cam table spaces that consume not only the switch resources ( CPU, Mem,cam , etc. ), also makes the switch reject normal server requests ( relatively easy to implement, but also easy to find ).

Spoof:

disguised as an already existing mac , update Cam in the table mac and the port of the corresponding relationship (The Cam table is updated with the last received packet ) . But the premise of deception is that the disguised mac has not been contracted, otherwise the Cam table is refreshed ( relatively difficult to achieve, but not easy to find ).

an attack software :d Sniff

: http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz

To block an attack: Port Security

1. effectively block mac flood/spoof attacks

A. Mac flood generates violation when mac table is full when a specific interface is set

B. generates violation when a mac learns from two different interfaces on the same VLAN

2. Port security default behavior

A. all interfaces port security default disable, ports enabled:switchport Port-security

B. the maximum mac address capacity for each interface by default is 1

c. the default violation is shutdown

3. Three ways of violation

A. Shutdown The interface in errordisable State, and the alarm

B. Restrict drop the offending packet and alarm

c. Protect silently drops packets, no alarms

4. Three ways to address learning

A. Auto-learning ( default )

B. manual Assignment : switchport port-security mac-address ****.****.****

C. sticky:switchport port-security mac-address Sticky ****.****.****

5. View port security 's CPU Utilization

Show Processes CPU | In Port-s

$ Series Features:

Mac-address-table Notification Mac-move

mac Move Notification the feature can detect mac the illegal movement of addresses, while not blocking attacks, can effectively alert managers to attacks.

Mac-address-table Unicast-flood

A. restrictions on unknown unicast flooding

B. mac-address-table Unicast-flood limit 4 VLAN filter 5

Limit: to the same VLAN, each one mac , per second of Unicast-flood to limit the number of

Filter: once more than Limit, Filter Unicast-flood the time (s)

Alert: once more than Limit, Alarms

Shutdown: once more than Limit,shutdown Port

LAN Security-mac Flood/spoof