Understanding and securing against mac layer attacks
What is
Multilayer switches uses CAM tables to have L2 forwarding. As soon as the table is full and new packets (new mac addressess) must be forwarded, they will be flooded to all switch ports. 
So, an attacker could be send to the switch frames with invalid mac address and the switch will cause flooding that:
-will slow down the network -an attacker can not capture traffic Normally seen on That port So, an attacker could be send to the switch frames with invalid mac address and the switch will cause flooding that: Mitigiation for mac flooding You can use port security in order to limited the number of mac address in to allow switch port.
In Addition, if a switch port is not interested in traffic is flooded to enoghu Use the following command:
switchport block unicast conditions:
- the attaccker must be connected to an access port of a switch
- the same switch must have at least one port in 802.1q trunk
-l 'attacker must belong to the Nativity set vlan on the trunk link As shown in Figure above, as soon as the Catalyst A receives the packet with two tags, as the first tag refers to the native vlan 10, interprets it as control information to be transmitted on the trunk link without any tag (for the definition of native VLAN traffic is untagged) for this reason, the first tag is removed. At this point the Catalyst B receives a packet with Vlan20 tag and then transmits it into the VLAN20. The attacker is then able to "inject" the info all'interno di una vlan in cui lui non appartiene.
VLAN hopping is a type of attack that allow to a malicious user to attack an user in a vlan.
By default all switches create a trunk port. An attacker can send a DTP frame in order to form a trunk with a switch, in this way the attacker is able to sniff all trunk traffic and so all vlan traffic allowed on the trunk.
An attacker can send malicious dtp frame also using an unauthorized cisco switch, in order to form a trunk link with an authorized switch and sniff all vlan traffic allowed on the trunk link. Usually, switches have port configured with auto negotiation turned on, so an attacker can send a DTP negotiation frame to form the trunk.
with double tagging VLAN hopping
In this case an attacker to forward frames through inaccesible vlan That Would Be Legitimate means, using double tagging.
Mitigating VLAN hopping
E 'enough to use as the native vlan vlan id id a "strange" and then make the pruning of the native vlan in the trunk.
Switch (config) # vlan 800
Switch (config-vlan) # name bogus_native Switch (config-vlan) # exit
Switch (config) # interface GigabitEthernet 1 / 1 Switch (config-if) # switchport trunk encapsulation dot1q Switch (config-if) # switchport trunk native vlan 800
Switch (config-if) # switchport trunk allowed vlan remove 800th
Switch (config-if) # switchport mode trunk
Although pruning is done on the native vlan on the link control info such as CDP, PAgP, DTP untagged traffic that is normally continue to be sent the link.
addition, the doors do not do not use should be disabled or be placed in a VLAN that is not "rotated" (that which is not allowed to intervlan routing).
DHCP Snooping
type of attack in which a device pretends to DHCP server and receives all DHCP request sent by the various host them, not just have to send the info out relished subnet, the gateway will send to the default-rouge that in this way and sniffer data ricevrà illegally. It solves this type of attack using the concept of trusted and untrusted port of a switch. On a trusted takes the DHCP reply will be accepted, while on a port no untrusted. The interface in this case, delete the package and into rcevuto errdisable mode. So the DHCP server are connected to ports on the trusted, so you know where you expect to receive DHCP reply.
Enable DHCP snooping with:
Switch (config) # ip dhcp snooping
By default, all ports are untrusted. The following instructions to make them trusted
Switch (config) # interface type mod / num
Switch (config-if) # ip dhcp snooping trust
0 comments:
Post a Comment