Switch cam table port forwarding attack-Research and Implementation

Source: Internet
Author: User

 

It may be a bit strange to see this question. No one in the cybersecurity circle has defined such a term. At first, I am not sure what kind of term to define, I just defined such a term according to the original term of the attack. If there is a better suggestion to give him a better name, such as "pandatv incense", it is well known.

I do not know whether this attack method has been studied. I have never seen it on the internet. Recently, I have spent some time thinking about this attack technology, we hope to provide another cornerstone for Security Technology enthusiasts, but we do not want everyone to use it for network damage. The consequences are very serious and the network administrator is angry because he cannot find the attack source, currently, there is no good solution to this type of attack, so you may think twice.

I spoke a lot of nonsense and entered the topic.

At first, the discovery of such attacks was an early source of ARP Protocol learning and research. At that time, it was found that sending ARP packets in a specific format would have a certain impact on the network. If I was a B server, capture the ARP return packet sent from machine C to machine A, and Use Sniffer Pro on machine B to capture and replay the data packets. That is to say, machine B sends such data packets on the source MAC as the C machine, when a vswitch receives such continuous packets without CIDR blocks (the number of packets sent is closely related to the attack effect), machine C suddenly loses contact with other machines in the network, other machines in the network cannot access the C machine. According to packet capture, the packets of the C machine can be sent, but the response packet is not received. Where is the problem ?.

People with ideas will surely think that the packets are forwarded to the B server by the switch. To prove our ideas, we can capture packets on the B server and find that, many data packets are the response packets from other IP addresses to machine C. Many people will not understand why. We all know the difference between a vswitch and a hub. A vswitch does not broadcast data packets. Its working mode is: machine a ---> machine B's data packets cannot be received by machine C, the switch should have a forwarding list (CAM). The AMC table is used to establish the correspondence between the MAC address and the port. A port can correspond to many MAC addresses, (It seems that only one can be created under 802.1x.) it seems that there is no problem. The problem is that Cam is dynamically updated in real time. When it comes to this, you can see the problem above, it is no problem for machine C to send data packets to machine A. the MAC of machine C establishes a temporary correspondence between the three ports. If machine a communicates with machine C after receiving the data packets, the switch will direct the data packet to three ports, and the data connection between them will succeed.
Continuous replay is performed when the B server captures this data packet. Just now, it also said that the data packet sent from the B server with the source address of the MAC address of the C machine is sent, when a packet passes through the switch, the correspondence between the MAC address of the C machine and the three ports is changed. The switch finds that the source MAC address of the packet is sent from the two ports of the switch, therefore, the correspondence between the Mac and the cam table of machine C will be established, and the data packets sent from machine A to machine C will be forwarded by the switch to the machine B on Port 2, all of these have led to the disconnection of the C machine. Now, we should understand that the above is my own understanding. Some problems may be explained in some places. I hope you can raise them.
Some people will say that the C machine is constantly sending packets, and it will also change the correspondence between the Mac and Port 2 of the C machine on the cam table. As I have said above, this depends on the number of data packets replayed by machine B. After my tests, we found that when machine B replayed-data packets per second, machine C should be unable to communicate with machines or communicate very slowly. It is interesting that other machines can be pinged on machine C, which makes machine C quite depressing, in addition, machine C cannot receive any attack data packets. It should be the data packet corresponding to machine A of C, which is not broadcast. For example, if the number of data packets is about 10 thousand, machine C cannot receive any information.
You will also say why packet broadcasting is not performed. If packets should be broadcast, it will have a great impact on the switch, it will have an impact on other machines, and it is easy for others to discover such packets, (although he cannot find you without checking the Mac table of the switch, he is afraid that he will watch ^_^). If your network is large, broadcast will also affect your usage, therefore, we need to send data packets in a targeted manner and find a slave machine. In the above case, A is our slave machine. If there is another slave machine, we can't find this type of attack when we capture packets on machine D. Is it terrible? What's more terrible here? You have to worry about it again. Since we can launch an attack on a single machine, you can also launch an attack on the gateway. What is the consequence of an attack on the gateway? That is, no one can communicate with the gateway, and all the networks are disconnected (including yourself ), you only need to send the data packet whose source address is gateway on machine B. We have already said that the broadcast package is the least desirable, so we need to find a zombie machine and still find machine A. No, because the orientation package machine B and machine A are on the same vswitch, only the cam table of this vswitch can be changed, and only the machines under this vswitch are affected, how can we break through the scope? The broadcast is okay, but it is the most unfeasible method. What should we do ?, Rest assured that smart people will always have a solution. At this time, the role of the slave machine is apparent. In professional terms, the slave machine sends packets whose source address is the gateway MAC address from the B server, the relationship between the switches it passes through and the gateway cam is changed. That is to say, how far is the slave machine, and how far is the switch we attack, therefore, it is very important to select the network topology where the slave machine is located. It determines the scope of the attack switch. If I want to disconnect the entire network, I will switch the following machine as a zombie machine in the trunk. Is it so bad.

Everyone understands it, and may also say that this attack is perfect. I am against it, because we think it is easy to block such attacks if they are limited to ARP protocols, during the test, many arpfirewalls do not allow this type of attack. Then I had to find a solution and I had to worry about it again.
The smart sisters will come up soon (I am a fellow man ).
In principle, the part of the data packet has an impact on the switch cam. It is the DLC link layer, with the first fourteen bytes in the data packet, the fourteen bytes contain 6 source MAC addresses and 6 destination MAC addresses. The protocol type is two bytes. Let's think about what other data packets contain these fourteen bytes. A lot of data packets, such as TCP, UDP, and ICMP, are available. Let's get started right away, send the UDP data packet with the source address of the MAC address of machine C to machine B and send it to machine A, such as Haha, TCP/ICMP. Later, we found that we were so happy that we were too early, the arpfirewall of caiying and Road Patrol will still filter IP spoofing. I am in pain, I am depressed, I am desperate, I scratched my head, I scratched my head ......, Haha, I finally figured out a way to break through the arpfirewall. (smelly eggs, don't buy them. It's really hard, boys. I have to work overtime at night to write something for everyone) in principle, they used the NDIS Technology to filter TCP/IP protocols. We will try IPX and other protocols as long as they take the lead in fourteen bytes, operate right away ............ The process is omitted, and the result is perfect. It completely breaks through the limits of the firewall and can achieve our expected results.
It seems that I can go to bed. (another rotten egg is thrown.) Some people say that you have done so many things to confuse us, you also asked us to first Learn How to Use Sniffer Pro during the test, and then fill in dozens to hundreds of bytes of data packets, then the day lily is cold. (It seems that I can't go to bed again. I have to catch a train back to Beijing tomorrow, poor luck)
I have to try again. Now that we all know that the header fourteen bytes are used, the protocol type can be set as needed to create some non-existent protocol types, let's get rid of the firewall author and see how to define filtering and how to implement it. we imagine that if we send a packet, we can change the header fourteen bytes, it is much easier to Use Sniffer Pro to edit all the others, but I am a good guy to do it, because my programming technology started late and the technology is not good, a tcp syn packet has been posted on the Internet, and some changes have been made to achieve our goal. Let it send only 54 data packets, and the first 14 bytes can be changed at will, for other gadgets with 0, I have no limit on the number of outgoing mails and the maximum number of outgoing mails. I will roughly calculate more than 10 thousand pieces per second. It is better to be careful when using this tool.

I provided a small tool to avoid using Sniffer Pro for testing. I firmly despise the terrorists who are used to sabotage the network (because you attacked me, I don't have a good way to find the real source of attacks.) I hope you can use your imagination and find a perfect solution to improve our security fans.

: Http: // 211.154.169.179/antiswitch.rar
Unzip the password: antis
The server is often not stable. If you need it, you can send me an email for it.
Email: zhihui13@gmail.com

Author: Feng smart
If you have any post, please note that the source author has nothing to do with the consequences of network damage caused by the above technologies and tools.

 
This post contains attachment: http://dl2.csdn.net/down4/20080416/16134504160.rar
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.