Transcript Lecture 3: Data Link Layer Security

Data Link Layer Security
Lecture 3
Supakorn Kungpisdan
[email protected]
NETE4630
1
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
2
NETE4630
MAC Address Spoofing
• What is MAC address spoofing?
• What is its purpose?
• Explain how it works
3
NETE4630
Passive VS Active Sniffing
• Passive sniffing involves using a sniffer (Ethereal or
Tcpdump) to monitor incoming packets
• Passive sniffing relies on a feature of network cards
called promiscuous mode
• When placed in promiscuous mode, a network card will
pass all packets on to the operating system, rather
than just those unicast or braodcast to the host
• However, passive sniffing does not work well in a
switched network
• The attacker can sniff traffic within his/her VLAN
4
NETE4630
Active Sniffing
• Active sniffing relies on injecting packets into the
network that causes traffic that should not be
sent to your system, to be sent to your system
• Active sniffing is required to bypass the
segmentation that switches provide
• In wireless networks, passive sniffing involves
sending no packets, and monitoring the packets
sent by others.
• Active wireless sniffing involves sending out
multiple network probes to identify APs
5
NETE4630
ARP Poisoning
• Performing active sniffing on switches ethernet
6
NETE4630
ARP Poisoning (cont.)
• By spoofing the default gateway’s IP address, all hosts
on the subnet will router through the attacker’s machine
– You have to poison the ARP cache of every host on the subnet
– Better if targeting a single host on the network
– Should not spoof the IP of another client
• To perform ARP poisoning,
– # arp –s <victim IP> <our MAC address> pub
• Alternatively, use Cain and Abel
7
NETE4630
Cain and Abel
8
NETE4630
WinArpAttacker
9
NETE4630
ARP Flooding
• ARP flooding is another ARP Cache Poisoning
technique aimed at network switches
• Aka CAM Table Overflow attack
• Some switches will drop into a hub-like mode when the
CAM table is flooded
• CAM (Content Addressable Memory) is a physical part of
a switch
• CAM stores information about MAC addresses available
on each physical port and their associated VLAN
parameters
• CAM is a normal memory limited in size
• Can also use WinArpAttacker to perform ARP Flood
10
NETE4630
ARP Flooding (cont.)
• In 1999, Ian Vitek created a tool called macof, later
integrated in dsniff, which floods with invalid source
MAC addresses (up to 155,000/minute)
• This quickly fills up the CAM table of the switch to which
the computer running this tool is connected, and also the
adjacent switches
• The switch is too busy to enforce its port security and
broadcasts all traffic to every port in the network
• Thus making possible a MITM attack – the attacker can
start sniffing network traffic
11
NETE4630
DHCP
12
NETE4630
DHCP Starvation Attack
• Consuming the IP address space allocated by a
DHCP server
• An attacker broadcasts a large number of DHCP
requests using spoofed MAC addresses
• The DHCP server will lease its IP addresses one
by one to the attacker until it runs out of
available IPs for new, normal clients
• Leads to DoS
13
NETE4630
Rogue DHCP Server
• Set up a rogue DHCP server serving clients with
false details
– E.g. giving them its own IP as default router
– Result in all the traffic passing through the attacker’s
computer
• Rogue DHCP server can be set up even without
DHCP starvation attack, as clients accept the
first DHCPOFFER they receive
• Both attacks can be accomplished using gobbler
14
NETE4630
Preventing DHCP Attacks
• DHCP Starvation Attack can be prevented by
using port security features that don’t allow more
than X MAC addresses on one port
• Rogue DHCP is more difficult to prevent
– May implement “Authentication for DHCP
Messages” (RFC3118)
– Some smart and expensive switches have “DHCP
snooping” functions which filters DHCP messages
from non-trusted hosts
• It contains database of trusted and untrusted interfaces
15
NETE4630
DHCP Snooping
• DHCP snooping provides security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping
binding table
• An untrusted message is a message that is received from outside
the network or firewall and that can cause traffic attacks within your
network
• DHCP snooping binding table contains the MAC address, IP
address, lease time, binding type, VLAN number, and interface
information that corresponds to the local untrusted interfaces of a
switch
• An untrusted interface is an interface that is configured to receive
messages from outside the network or firewall
• A trusted interface is an interface that is configured to receive only
messages from within the network
16
NETE4630
DHCP Snooping (cont.)
• DHCP snooping acts like a firewall between untrusted
hosts and DHCP servers.
• It also gives you a way to differentiate between untrusted
interfaces connected to the end-user and trusted
interfaces connected to the DHCP server or another
switch
• DHCP snooping is used to prevent rogue DHCP server
• If the DHCPOFFER came from an untrusted interface,
the switch shuts down the port
• The switch trusts the interface to which the authorized
DHCP server is connected
17
NETE4630
DHCP Snooping (cont.)
18
NETE4630
Enabling DHCP Snooping
19
NETE4630
Adding Information to DHCP Snooping DB
20
NETE4630
IP Source Guard
• IP Source Guard is enabled on a DHCP snooping
untrusted Layer 2 port
• For each untrusted Layer 2 port, there are two levels of
IP traffic security filtering:
– Source IP address filter: IP traffic is filtered based on its source
IP address. Only IP traffic with a source IP address that matches
the IP source binding entry is permitted
– Source IP and MAC address filter: IP traffic is filtered based on
its source IP address and its MAC address; only IP traffic with
source IP and MAC addresses matching the IP source binding
entry are permitted
21
NETE4630
Configuring IP Source Guard
22
NETE4630
Dynamic ARP Inspection
• For cisco devices, it is called Dynamic ARP Inspection
(DAI)
• DAI is a security feature that validates ARP packets in a
network
• It intercepts, log, and discards ARP packets with invalid
IP-to-MAC address bindings.
• DAI ensures that only valid ARP requests and responses
are relayed.
• The switch performs these activities:
– Intercepts all ARP requests and responses on untrusted ports
– Verifies that each of these intercepted packets has a valid IP-toMAC address binding before updating the local ARP cach or
before forwarding the packet to the appropriate destination
– Drops invalid packets
23
NETE4630
Dynamic ARP Inspection (cont.)
• Dynamic ARP inspection determines the validity of an
ARP packet based on IP-to-MAC address bindings
stored in a trusted database, the DHCP snooping
binding database
• In non-DHCP environments, DAI can validate ARP
packets against user-configured ARP access control lists
(ACLs) for hosts with statically configured IP addresses
• If the ARP packet is received on a trusted interface, the
switch forwards the packet without any checks
24
NETE4630
DAI (cont.)
• By default, all interfaces are untrusted
• The switch does not check ARP packets that it receives
from the other switch in the trusted interface
• For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
updating local cache and before forwarding the packet to
the appropriate destination
– Firstly it checks from ARP access control list
– If no such ACL, check from DHCP snooping database
25
NETE4630
DAI (cont.)
26
NETE4630
Configuring DAI in DHCP Environments
• Both Switch A and B are running DAI on VLAN1 where
the hosts are located
• A DHCP server is connected to Switch A. both hosts
acquire IP addresses from the same DHCP server
• Switch A has the bindings for Host 1 and Host 2, and
Switch B has the binding for Host 2
27
NETE4630
Configuring ARP ACLs in non-DHCP
Environments
• Switch B does not support DAI or DHCP snooping, but
Switch A does
• If configuring port 1 on Switch A as trusted, a security
hole is created because Switch A and Host 1 could be
attacked by either Switch B or Host 2
• Thus, configure port 1 on Switch A as untrusted
• If the IP address of Host 2 is not static, such that it is
impossible to apply the ACL configuration on Switch A,
you must separate Switch A from Switch B at Layer 3
and use router to route packets between them
28
NETE4630
Configuring ARP ACLs in non-DHCP
Environments (cont.)
29
NETE4630
Routing Games
• One method to ensure that all traffic on a network will
pass through your host is to change the routing table of
the host you wish to monitor
• Sending a fake route advertisement via the RIP,
declaring yourself as the default gateway
• All outbound traffic will pass though your host then go to
the real default gateway
• But may not receive returned traffic unless you can
modify the default gateway’s routing table
30
NETE4630
Cracking WEP
• WEP is based on RC4 cipher
• RC4 is a stream cipher
• RC4 itself is very secure; it is employed by the
military for use in highly sensitive operations
• However vendors made a mistake while
implementing the WEP protocol
– They reuse the Initialization Vector
31
NETE4630
RC4 Operation
32
NETE4630
Wireless Active Attacks
• Active wireless attack encompass spoofing and
DoS attacks
• Spoofing: Use Netstumbler to identify the MAC
address of the victim and modify one’s MAC
address to match it
• DoS: sending multiple control packets to a
wireless network
33
NETE4630
Jamming Attacks
• Jamming attacks rely on using radio frequency
to interfere with wireless transmissions
• This will effectively perform a DoS attack on the
wireless network
34
NETE4630
MITM Attacks
• Setting your wireless card up in an identical
configuration as an existing hotspot (including
spoofed SSID)
• A client is unable to distinguish the legitimate AP
from your spoofed AP without running additional
authentication protocols on top of the wireless
media.
35
NETE4630
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
36
NETE4630
Using Encryption
• The use of encryption, assuming its mechanism
is valid, will thwart any attacker attempting to
passively monitor the network
• IPSec and OpenVPN
• However, these technologies are not widely
used on the internet outside of large enterprises
• SSH, SSL, PGP, S/MIME
37
NETE4630
Secure Shell (SSH)
• A cryptographic secure replacement of the
standard UNIX Telnet, Remote Login (rlogin),
Remote Shell (RSH), and Remote Copy
Protocol (RCP) commands
• It consists of both a client and a server that use
public-key cryptography to provide session
encryption
• OpenSSH, PuTTY
38
NETE4630
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
39
NETE4630
Local Detection
• Many OS provide a mechanism to determine
whether a network interface is running in
promiscuous mode
• Using ifconfig command on UNIX
• However, if the host is compromised, an attacker
may replace ifconfig command with the one
that does not report interfaces in promiscuous
mode
40
NETE4630
Local Detection (cont.)
41
NETE4630
Network Detection: DNS Lookups
• Performing reverse DNS lookup possibly can find a
sniffing host
– Forward DNS lookup: resolve IP from given hostname
– Reverse DNS lookup: resolve hostname from given IP
• Additional network traffic is generated; mainly the DNS
query to look up the network address.
– It is possible to monitor the network for hosts that are performing
a large number of address lookups alone
• Alternatively, we can generate a false network
connection from a non-active address. Then we can
monitor the network for DNS queries that attempt to
resolve the faked address, giving away the sniffing host
42
NETE4630
Network Detection: Latency
•
Detect latency variation in the host’s
response to network traffic (i.e. ping)
1. Start with probing (by pinging) a suspected
host initially, then sample the response time
2. Generate a large amount of network traffic
3. Probe the host again and sample the response
time
•
If the response time changes significantly, the host
may potentially be a monitoring host
43
NETE4630
Network Detection: Driver Bugs
• In some Linux OS, there is a bug in a common
Ethernet driver
• If the host is running in promiscuous mode, the
OS failed to perform Ethernet address checks
• Normally, packets that did not correspond to the
host’s MAC address would have been dropped
at the data-link layer.
• If the host is running in promiscuous mode, it will
not drop the packet with invalid MAC address
44
NETE4630
Network Detection: Driver Bugs (cont.)
• To determine whether the host was in
promiscuous mode by sending an ICMP ping
request to the host, with a valid IP address and
an invalid Ethernet address.
• If the host responded to this ping request, it was
determined to be running in promiscuous mode
45
NETE4630
To Read
• Hack-The-Stack: Page 104-123
• Quiz: 5%
46
NETE4630
Question?
Next week
Network Layer Security
NETE4630
47