Switch guard against typical spoofing and two-layer attacks

1. Prevention of Mac/cam attacks
　　
The principle and harm of 1.1mac/cam attack
1.2 Typical viruses take advantage of mac/cam attack cases
1.3 Using Port Security feature to protect against Mac/cam attacks
1.4 Configuration
1.5 using other techniques to prevent MAC/CAM attacks
　　
　　 2. Prevention of DHCP attacks
　　
2.1 Common issues with DHCP management:
2.2DHCP Snooping Technology Overview
2.3 Basic Precautions
2.4 Advanced Precautions
　　
　　 3. ARP spoofing/MITM (Man-in-the-middle) attack principle and prevention
　　
3.1 MITM (Man-in-the-middle) Attack principle
3.2 Attack instances
3.3 Precautionary approach
3.4 Configuration Examples
3.5 After configuring the Dai effect:
　　
　　 4. Prevention of Ip/mac Deception
　　
4. 1 common types and purposes of deception attacks
4.2 Attack instances
The prevention of 4.3ip/mac deception
4.4 Configuration Examples:
　　
　　 5. New approaches to IP address management and virus protection
　　
5.1IP Address Management
5.2 About virus problems that can be solved using DHCP snooping, DAI, IP Source Guard Technology
　　
The attack and spoofing behaviors mentioned in this paper are mainly for the link layer and the network layer. In the actual network environment, its source can be summarized as two ways: people for implementation; viruses or worms. Human implementation usually refers to the use of a number of hacker tools to scan and sniff the network, access to management accounts and related passwords, on the network to place Trojans, so as to further steal confidential documents. The process of attack and deception tends to be more covert and quiet, but it is extremely harmful to the enterprise with high information security requirements. While attacks from Trojans or viruses and worms tend to deviate from attacks and deception itself, the phenomenon is sometimes very straightforward, resulting in increased network traffic, high device CPU utilization, and a two-tier spanning tree loop until the network is paralyzed.
　　
At present, such attacks and deception tools are very mature and easy to use, and the current enterprise in the deployment of this aspect of the prevention there are many shortcomings, there is much work to do. Cisco has a proven solution for this type of attack, based on several key technologies:
　　
Port Security Feature
DHCP snooping
Dynamic ARP Inspection (DAI)
IP Source Guard
　　
The following sections focus on the current very typical two-layer attack and spoofing how to combine and deploy the above technologies on a Cisco switch to prevent "man-in-the-middle" attacks, Mac/cam attacks, DHCP attacks, address spoofing, etc. in a switched environment, More significant is the deployment of the above technology can simplify address management, direct tracking of User IP and corresponding switch port, prevent IP address conflict. At the same time, most of the two-layer network caused great harm to the address scanning, deception and other characteristics of the virus can be effective alarm and isolation.
　　
　　 1 Prevention of Mac/cam attack
　　
The principle and harm of 1.1mac/cam attack
　　
The switch actively learns the MAC address of the client and establishes and maintains a corresponding table of the port and MAC address to establish the Exchange path, which is what we call the CAM table. The size of the cam table is fixed, and the cam table sizes for different switches are different. Mac/cam attack refers to the use of tools to generate spoofed MAC, quickly fill the cam table, the switch CAM table is filled, the switch broadcasts the message through the switch, then the attacker can use various sniffer attacks to obtain network information. When the CAM table is full, traffic is sent to all interfaces in flood mode, and the traffic on the TRUNK interface is also sent to all interfaces and neighboring switches, which can cause the switch to load too much, slow down the network, and even paralyze the packet.
　　
1.2 Typical viruses take advantage of mac/cam attack cases
　　
The SQL worm that used to pose a huge threat to the network uses the multicast destination address to construct the fake target MAC to fill the switch CAM table.
　　
1.3 Using Port Security feature to protect against Mac/cam attacks
　　
The Cisco Port Security feature can prevent MAC and mac/cam attacks. By configuring Port Security, you can control:
　　
The maximum number of MAC addresses that can be passed on the port
Port to learn or through which MAC addresses
Violates handling of more than a specified number of MAC processing
　　
Ports to learn or through which MAC addresses can be manually defined by static, or can be automatically learned on the switch. Switch dynamically learns port Mac until the specified number of MAC addresses, the switch shuts down and learns again. At present the newer technology is Sticky Port Security, the switch will learn the MAC address written to the port configuration, the switch after the reboot configuration still exists.
　　
There are generally three ways to process MAC processing over a specified amount (different for switch models):
　　
Shutdown. This is the strongest protection, but for some situations it can be troublesome for management, such as a virus in a device, a virus discontinuity forgery source MAC in the network to send a newspaper text.
Protect. Discard illegal traffic, do not alarm.
Restrict. Discard illegal traffic, alarm, comparison above will be the switch CPU utilization increases but does not affect the normal use of the switch. It is recommended to use this method.
　　
1.4 Configuration
　　
Port-security configuration options:
　　
Switch (config-if) # switchport port-security?
　　
Aging Port-security Aging Commands
　　
Mac-address Secure MAC Address
　　
Maximum Max secure addresses
　　
Violation Security violation mode
　　
　　
Configuring port-security Maximum number of Macs, violating handling, recovery methods
　　
Cat4507 (config) #int fastethernet 3/48
　　
Cat4507 (config-if) #switchport port-security
　　
Cat4507 (config-if) #switchport port-security maximum 2
　　
Cat4507 (config-if) #switchport port-security violation shutdown
　　
Cat4507 (config) #errdisable recovery cause psecure-violation
　　
Cat4507 (config) #errdisable recovery interval 30
　　
　　
By configuring Sticky Port-security learned Mac
　　
Interface Fastethernet3/29
　　
Switchport mode access
　　
Switchport port-security
　　
Switchport port-security Maximum 5
　　
Switchport port-security mac-address Sticky
　　
Switchport port-security mac-address Sticky 000B.DB1D.6CCD
　　
Switchport port-security mac-address Sticky 000b.db1d.6cce
　　
Switchport port-security mac-address Sticky 000d.6078.2d95
　　
Switchport port-security mac-address Sticky 000e.848e.ea01
　　
1.5 using other techniques to prevent MAC/CAM attacks
　　
In addition to Port Security using DAI technology can also protect against MAC address spoofing.
　　
　　 2 Prevention of DHCP attacks
　　
2.1 Common issues with DHCP management:
　　
The use of DHCP server can automatically set the network IP address, mask, Gateway, DNS, WINS and other network parameters, simplify the user network settings, improve management efficiency. However, in the use of DHCP management there are some other network managers compared problems, common are:
　　
Impersonation of DHCP server.
A Dos attack on DHCP server.
Some users arbitrarily specify the address, resulting in network address conflicts.
　　
Due to the operating mechanism of DHCP, usually the server and client do not have authentication mechanism, if there are more than one DHCP server on the network will cause the network to become chaotic. Because the user accidentally configured the DHCP server caused by the network confusion is very common, the foot can be seen intentionally artificial destruction of the simplicity. Usually a hacker attack is the first to run out of IP addresses that the normal DHCP server can allocate, and then impersonate a legitimate DHCP server. The most covert and dangerous method is that hackers use an impersonated DHCP server to assign users to a modified DNS server, which is very bad when users are not aware of a pre-configured fake financial website or e-commerce site and cheat user accounts and passwords.
　　
The Dos attack on DHCP server can take advantage of the Port Security and the Dai technology mentioned earlier, and for some users to arbitrarily specify the address, resulting in network address conflicts can also take advantage of the following mentioned Dai and IP Source Guard technology. This section focuses on the techniques of DHCP spoofing.
　　
2.2DHCP Snooping Technology Overview
　　
DHCP snooping technology is a DHCP security feature that filters untrusted DHCP information by establishing and maintaining DHCP snooping binding tables, which refer to DHCP information from untrusted zones. The DHCP snooping binding table contains information such as the user's MAC address, IP address, lease duration, Vlan-id interface, and so on, in the untrusted zone, as shown in the following table:
　　
CAT4507#SH IP DHCP snooping binding
　　
MacAddress IpAddress Lease (sec) Type VLAN Interface
　　
------------------ --------------- ---------- ------- ---- --------------------
　　
00:0d:60:2d:45:0d 10.149.3.13 600735 dhcp-snooping GIGABITETHERNET1/0/7
　　
This table not only solves the DHCP user's IP and port tracking location problem, provides convenience for user management, but also supplies dynamic ARP detection da) and IP Source guard.
　　
2.3 Basic Precautions
　　
First, define the trust and untrusted ports on the switch, intercept and sniff DHCP packets that do not trust the port, and drop off the abnormal DHCP packets from these ports
　　
A basic configuration example is shown in the following table:
　　
IOS Global Command:
　　
IP DHCP snooping VLAN 100,200/* Defines which VLANs enable DHCP sniffing
　　
IP DHCP snooping
　　
interface commands
　　
IP DHCP snooping Trust
　　
No IP DHCP snooping trust (Default)
　　
IP DHCP snooping limit rate (PPS)/* To some extent, prevent DHCP from rejecting service/* Service attacks
　　
Adding a DHCP binding table manually
　　
IP DHCP snooping binding 1.1.1 VLAN 1 1.1.1.1 interface GI1/1 Expiry 1000

This article is from the "Sky" blog, please be sure to keep this source http://haikuotiankong.blog.51cto.com/633188/1695326

Switch guard against typical spoofing and two-layer attacks