Transcript DHCP snooping

Data Link Layer Security
Lecture 3
Supakorn Kungpisdan
[email protected]
Roadmap
 Attacking Data Link Layer
 Defending Your Network from Sniffers
 Employing Detection Techniques
NETE4630: Advanced Network Security and Implementation
2
Task: MAC Address Spoofing
 What is MAC address spoofing?
 What is its purpose?
 Explain how it works
NETE4630: Advanced Network Security and Implementation
3
Passive VS Active Sniffing
 Passive sniffing involves using a sniffer (Ethereal or TCPdump) to
monitor incoming packets
 Passive sniffing relies on a feature of network cards called
promiscuous mode
 When placed in promiscuous mode, a network card will pass all
packets on to the operating system, rather than just those unicast
or broadcast to the host
 However, passive sniffing does not work well in a switched network
 The attacker can sniff traffic within his/her VLAN
NETE4630: Advanced Network Security and Implementation
4
Active Sniffing
 Active sniffing relies on injecting packets into the network
that causes traffic that should not be sent to your system,
to be sent to your system
 Active sniffing is required to bypass the segmentation that
switches provide
 In wireless networks, passive sniffing involves sending no
packets, and monitoring the packets sent by others.
 Active wireless sniffing involves sending out multiple
network probes to identify APs
NETE4630: Advanced Network Security and Implementation
5
ARP Poisoning
 Performing active sniffing on switches Ethernet
NETE4630: Advanced Network Security and Implementation
6
ARP Poisoning (cont.)
 By spoofing the default gateway’s IP address, all hosts on the
subnet will router through the attacker’s machine
 You have to poison the ARP cache of every host on the subnet
 Better if targeting a single host on the network
 Should not spoof the IP of another client
 To perform ARP poisoning,
 # arp –s <victim IP> <our MAC address> pub
 Alternatively, use Cain and Abel
NETE4630: Advanced Network Security and Implementation
7
Cain and Abel
NETE4630: Advanced Network Security and Implementation
8
WinArpAttacker
NETE4630: Advanced Network Security and Implementation
9
ARP Flooding
 ARP flooding is another ARP Cache Poisoning technique aimed at
network switches
 Aka CAM Table Overflow attack
 Some switches will drop into a hub-like mode when the CAM table is
flooded
 CAM (Content Addressable Memory) is a physical part of a switch
 CAM stores information about MAC addresses available on each
physical port and their associated VLAN parameters
 CAM is a normal memory limited in size
 Can also use WinArpAttacker to perform ARP Flood
NETE4630: Advanced Network Security and Implementation
10
ARP Flooding (cont.)
 In 1999, Ian Vitek created a tool called macof, later integrated in
dsniff, which floods with invalid source MAC addresses (up to
155,000/minute)
 This quickly fills up the CAM table of the switch to which the
computer running this tool is connected, and also the adjacent
switches
 The switch is too busy to enforce its port security and broadcasts all
traffic to every port in the network
 Thus making possible a MITM attack – the attacker can start sniffing
network traffic
NETE4630: Advanced Network Security and Implementation
11
DHCP
NETE4630: Advanced Network Security and Implementation
12
DHCP Starvation Attack
 Consuming the IP address space allocated by a DHCP
server
 An attacker broadcasts a large number of DHCP requests
using spoofed MAC addresses
 The DHCP server will lease its IP addresses one by one to
the attacker until it runs out of available IPs for new,
normal clients
 Leads to DoS
NETE4630: Advanced Network Security and Implementation
13
Rogue DHCP Server
 Set up a rogue DHCP server serving clients with false
details
 E.g. giving them its own IP as default router
 Result in all the traffic passing through the attacker’s computer
 Rogue DHCP server can be set up even without DHCP
starvation attack, as clients accept the first DHCPOFFER
they receive
 Both attacks can be accomplished using gobbler
NETE4630: Advanced Network Security and Implementation
14
Preventing DHCP Attacks
 DHCP Starvation Attack can be prevented by using port
security features that don’t allow more than X MAC
addresses on one port
 Rogue DHCP is more difficult to prevent
 May implement “Authentication for DHCP Messages”
(RFC3118)
 Some smart and expensive switches have “DHCP snooping”
functions which filters DHCP messages from non-trusted hosts
 It contains database of trusted and untrusted interfaces
NETE4630: Advanced Network Security and Implementation
15
DHCP Snooping
 DHCP snooping provides security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding
table
 An untrusted message is a message that is received from outside the
network or firewall and that can cause traffic attacks within your network
 DHCP snooping binding table contains :
 MAC address,
 IP address,
 lease time,
 binding type,
 VLAN number, and
 interface information
that corresponds to the local untrusted interfaces of a switch
NETE4630: Advanced Network Security and Implementation
16
DHCP Snooping (cont.)
 An untrusted interface is an interface that is configured to receive
messages from outside the network or firewall
 A trusted interface is an interface that is configured to receive only
messages from within the network
 DHCP snooping acts like a firewall between untrusted hosts and
DHCP servers.
 DHCP snooping is used to prevent rogue DHCP server
 If the DHCPOFFER came from an untrusted interface, the switch
shuts down the port
 The switch trusts the interface to which the authorized DHCP server
is connected
NETE4630: Advanced Network Security and Implementation
17
Enabling DHCP Snooping
NETE4630: Advanced Network Security and Implementation
18
Adding Information to DHCP Snooping DB
NETE4630: Advanced Network Security and Implementation
19
IP Source Guard
 IP Source Guard is enabled on a DHCP snooping untrusted Layer 2
port
 For each untrusted Layer 2 port, there are two levels of IP traffic
security filtering:
 Source IP address filter: IP traffic is filtered based on its source IP address.
Only IP traffic with a source IP address that matches the IP source binding
entry is permitted
 Source IP and MAC address filter: IP traffic is filtered based on its source IP
address and its MAC address; only IP traffic with source IP and MAC
addresses matching the IP source binding entry are permitted
NETE4630: Advanced Network Security and Implementation
20
Configuring IP Source Guard
NETE4630: Advanced Network Security and Implementation
21
Dynamic ARP Inspection
 For cisco devices, it is called Dynamic ARP Inspection (DAI)
 DAI is a security feature that validates ARP packets in a network
 It intercepts, log, and discards ARP packets with invalid IP-to-MAC
address bindings.
 DAI ensures that only valid ARP requests and responses are
relayed.
 The switch performs these activities:
1. Intercepts all ARP requests and responses on untrusted ports
2. Verifies that each of these intercepted packets has a valid IP-to-MAC
address binding before updating the local ARP cache or before
forwarding the packet to the appropriate destination
3. Drops invalid packets
NETE4630: Advanced Network Security and Implementation
22
DAI (cont.)
 DAI determines the validity of an ARP packet based on IP-toMAC address bindings stored in a trusted database, the DHCP
snooping binding database
 In non-DHCP environments, DAI can validate ARP packets
against user-configured ARP access control lists (ACLs) for
hosts with statically configured IP addresses
 If the ARP packet is received on a trusted interface, the switch
forwards the packet without any checks
NETE4630: Advanced Network Security and Implementation
23
DAI (cont.)
 By default, all interfaces are untrusted
 The switch does not check ARP packets that it receives
from the other switch in the trusted interface
 For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
updating local cache and before forwarding the packet to
the appropriate destination
 Firstly it checks from ARP access control list
 If no such ACL, check from DHCP snooping database
NETE4630: Advanced Network Security and Implementation
24
DAI (cont.)
NETE4630: Advanced Network Security and Implementation
25
Configuring DAI in DHCP Environments
 Both Switch A and B are running DAI on VLAN1 where the hosts are
located
 A DHCP server is connected to Switch A. both hosts acquire IP
addresses from the same DHCP server
 Switch A has the bindings for Host 1 and Host 2, and Switch B has
the binding for Host 2
NETE4630: Advanced Network Security and Implementation
26
Configuring ARP ACLs in non-DHCP
Environments
 Switch B does not support DAI or DHCP snooping, but Switch A
does
 If configuring port 1 on Switch A as trusted, a security hole is created
because Switch A and Host 1 could be attacked by either Switch B
or Host 2
 Thus, configure port 1 on Switch A as untrusted
 If the IP address of Host 2 is not static, such that it is impossible to
apply the ACL configuration on Switch A, you must separate Switch
A from Switch B at Layer 3 and use router to route packets between
them
NETE4630: Advanced Network Security and Implementation
27
Configuring ARP ACLs in non-DHCP
Environments (cont.)
NETE4630: Advanced Network Security and Implementation
28
Routing Games
 One method to ensure that all traffic on a network will pass through
your host is to change the routing table of the host you wish to
monitor
 Sending a fake route advertisement via the RIP, declaring yourself
as the default gateway
 All outbound traffic will pass though your host then go to the real
default gateway
 But may not receive returned traffic unless you can modify the
default gateway’s routing table
NETE4630: Advanced Network Security and Implementation
29
Cracking WEP
 WEP is based on RC4 cipher
 RC4 is a stream cipher
 RC4 itself is very secure; it is employed by the military for
use in highly sensitive operations
 However vendors made a mistake while implementing the
WEP protocol
 They reuse the Initialization Vector
NETE4630: Advanced Network Security and Implementation
30
RC4 Operation
NETE4630: Advanced Network Security and Implementation
31
Wireless Active Attacks
 Active wireless attacks encompass spoofing and DoS
attacks
 Spoofing: Use Netstumbler to identify the MAC address of
the victim and modify one’s MAC address to match it
 DoS: sending multiple control packets to a wireless
network
NETE4630: Advanced Network Security and Implementation
32
Jamming Attacks
 Jamming attacks rely on using radio frequency to interfere
with wireless transmissions
 This will effectively perform a DoS attack on the wireless
network
NETE4630: Advanced Network Security and Implementation
33
MITM Attacks
 Setting your wireless card up in an identical configuration
as an existing hotspot (including spoofed SSID)
 A client is unable to distinguish the legitimate AP from your
spoofed AP without running additional authentication
protocols on top of the wireless media.
NETE4630: Advanced Network Security and Implementation
34
Roadmap
 Attacking Data Link Layer
 Defending Your Network from Sniffers
 Employing Detection Techniques
NETE4630: Advanced Network Security and Implementation
35
Using Encryption
 The use of encryption, assuming its mechanism is valid,
will thwart any attacker attempting to passively monitor the
network
 IPSec and OpenVPN
 However, these technologies are not widely used on the
internet outside of large enterprises
 SSH, SSL, PGP, S/MIME
NETE4630: Advanced Network Security and Implementation
36
Secure Shell (SSH)
 A cryptographic secure replacement of the standard UNIX
Telnet, Remote Login (rlogin), Remote Shell (RSH), and
Remote Copy Protocol (RCP) commands
 It consists of both a client and a server that use public-key
cryptography to provide session encryption
 OpenSSH, PuTTY
NETE4630: Advanced Network Security and Implementation
37
Roadmap
 Attacking Data Link Layer
 Defending Your Network from Sniffers
 Employing Detection Techniques
NETE4630: Advanced Network Security and Implementation
38
Local Detection
 Many OS provide a mechanism to determine whether a
network interface is running in promiscuous mode
 Using ifconfig command on UNIX
 However, if the host is compromised, an attacker may
replace ifconfig command with the one that does not
report interfaces in promiscuous mode
NETE4630: Advanced Network Security and Implementation
39
Local Detection (cont.)
NETE4630: Advanced Network Security and Implementation
40
Network Detection: DNS Lookups
 Performing reverse DNS lookup possibly can find a sniffing
host
 Forward DNS lookup: resolve IP from given hostname
 Reverse DNS lookup: resolve hostname from given IP
 Monitor the network for hosts that are performing a large
number of address lookups alone
 Generate a false network connection from a non-active
address. Then we can monitor the network for DNS
queries that attempt to resolve the faked address, giving
away the sniffing host
NETE4630: Advanced Network Security and Implementation
41
Network Detection: Latency
Detect latency variation in the host’s response to
network traffic (i.e. ping)
Start with probing (by pinging) a suspected host initially,
then sample the response time
Generate a large amount of network traffic
Probe the host again and sample the response time

1.
2.
3.
•
If the response time changes significantly, the host may
potentially be a monitoring host
NETE4630: Advanced Network Security and Implementation
42
Network Detection: Driver Bugs
 In some Linux OS, there is a bug in a common Ethernet
driver
 If the host is running in promiscuous mode, the OS failed
to perform Ethernet address checks
 Normally, packets with invalid MAC address would have
been dropped at the data-link layer.
 If the host is running in promiscuous mode, it will not drop
the packet with invalid MAC address
 Try sending an ICMP ping request to the host, with a valid
IP address and an invalid MAC address.
 If the host responded to this ping request, it was
determined to be running in promiscuous mode
NETE4630: Advanced Network Security and Implementation
43
To Read
 Hack-The-Stack: Page 104-123
 Quiz: 5%
NETE4630: Advanced Network Security and Implementation
44
Question?
Next week
Network Layer Security
MAC Address Spoofing (cont.)
 Replace a CAM table entry of a known MAC address on
another port
 Cause a switch to send the traffic destined for the port of
the attacked computer to the port at which the attacker is
connected
 Cause service disruption and can be used as an MITM
attack with the attacker sniffing the packets destined to the
attached computer
 Can be blocked only in the switches, if the switches have
facilities for that
NETE4630: Advanced Network Security and Implementation
46