Yusuf Bhaiji © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Agenda
Layer 2 Attack Landscape
Attacks and Counter Measures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Caveats
All attacks and mitigation techniques assume a switched Ethernet
network running IP
If it is a shared Ethernet access (WLAN, Hub, etc) most of these attacks get
much easier
If you are not using Ethernet as your L2 protocol, some of these attacks may
not work, but chances are, you are vulnerable to different types of attacks
New theoretical attacks can move to practical in days
All testing was done on Cisco Ethernet Switches
Ethernet switching attack resilience varies widely from vendor to vendor
This is not a comprehensive talk on configuring Ethernet
switches for security: the focus is mostly access L2 attacks
and their mitigation
These are IPv4 only attacks today
There are data center sessions for security, this is access ports
for users © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Agenda
Layer 2 Attack Landscape
Attacks and Counter Measures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Why Worry About Layer 2 Security?
OSI Was Built to Allow Different Layers to Work
Without the Knowledge of Each Other
Host B
Host A
Physical Links
MAC Addresses
IP Addresses
Protocols/Ports
Application Stream
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Lower Levels Affect Higher Levels
Unfortunately this means if one layer is hacked, communications are compromised
without the other layers being aware of the problem
Security is only as strong as the weakest link
When it comes to networking, layer 2 can be a very weak link
POP3, IMAP, IM,
SSL, SSH
Physical Links
IP Addresses
Protocols/Ports
Initial Compromise
Application Stream
Compromis
e
d
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Who Owns VLANS? NetOPS/SecOPS?
Questions
Security Policy
for VLANs
Do you use
VLANS often
Do you use
VLANs for
security?
What addresses
are assigned per
VLAN?
We have L2
security issues?
I use them all
the time
Routing in and out
of the same switch
are fine, that is
why we have a
Layer 3 switch
Security Guy asks
for a segment,
I make a VLAN
and give it
some addresses
NetOPS
SecOPS
I handle it at L3
and above
I have no idea
how often
It is a switch, why
would I care?
I ask NetOPS
they, they give
me Ports and
addresses © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
FBI/CSI Risk Assessment*
Many enterprises network ports are open
Usually any laptop can plug into the network and gain
access to the network
Of companies surveyed total loss was over $130 million
Average spending per employee $241 per year
28% said they had no idea how many times or if they
were were attacked
*CIS/FBI Computer Crime and Security Survey2005
http://www.ussecurityawareness.org/highres/free-resources.html © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
FBI/CSI Risk Assessment
28% said they did not know when of if they were attacked
Yet32% said they never had an attack on the inside? © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Agenda
Layer 2 Attack Landscape
Attacks and Counter Measures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Basic Trunk Port Defined
VLAN
10
VLAN
20
Trunk With:
Native VLAN
VLAN 10
VLAN 20
VLAN
20
VLAN
10
Trunk ports have access to all VLANS by default
Used to route traffic for multiple VLANS across the same
physical link (generally between switches or phones)
Encapsulation can be 802.1q or ISL © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Dynamic Trunk Protocol (DTP)
What is DTP?
Automates 802.1x/ISL
Trunk configuration
Operates between switches
(Cisco IP phone is a switch)
Does not operate on routers
Support varies, check
your device
DTP synchronizes the
trunking mode on end links
DTP state on 802.1q/ISL
trunking port can be set to
Auto, On, Off, Desirable,
or Non-Negotiate
Dynamic
Trunk
Protocol © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Basic VLAN Hopping Attack
VLAN
10
Trunk With:
Native VLAN
VLAN 10
VLAN 20
VLAN
20
VLAN
10
Trunk With:
Native VLAN
VLAN 10
VLAN 20
An end station can spoof as a switch with ISL or 802.1q
The station is then a member of all VLANs
Requires a trunking configuration of the Native VLAN to be VLAN 1 © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Double 802.1q Encapsulation
VLAN Hopping Attack
802.1q,802.1q
Strip Off First,
and Send
Back Out
802.1q Frame
Frame
Send 802.1q double encapsulated frames
Switch performs only one level of decapsulation
Unidirectional traffic only
Works even if trunk ports are set to off
Note: Only Works if Trunk Has the Same VLAN as the Attacker © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Security Best Practices for
VLANs and Trunking
Always use a dedicated VLAN ID for all trunk ports
Disable unused ports and put them in an
unused VLAN
Be paranoid: do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the Native VLAN on trunks
Use PC Voice VLAN Access on phones that support it
Use 802.1q tag all on the trunk port © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Agenda
Layer 2 Attack Landscape
Attacks and Counter Measures
VLAN Hopping
MAC Attacks
DHCP Attacks
ARP Attacks
Spoofing Attacks
General Attacks
Summary © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
MAC Address/CAM Table Review
48 Bit Hexadecimal Number Creates Unique Layer Two Address
1234.5678.9ABC
First 24 bits = Manufacture Code
Assigned by IEEE
Second 24 bits = Specific Interface,
Assigned by Manufacture
0000.0c
XX.XXXX
0000.0c
XX.XXXX
All Fs = Broadcast
FFFF.FFFF.FFFF
CAM table stands for Content Addressable Memory
The CAM table stores information such as MAC addresses
available on physical ports with their associated VLAN parameters
All CAM tables have a fixed size © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Normal CAM Behavior (1/3)
MAC A
Port 1
Port 2
Port 3
MAC
Port
A
1
C
3
ARP for B
ARP for B
ARP
for
B
B Is Unknown
Flood the Frame
MAC B
MAC C © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Normal CAM Behavior (2/3)
MAC A
Port 2
Port 3
Port 1
A Is on Port 1
Learn:
B Is on Port 2
I Am
MAC B
I Am MAC B
MAC
Port
A
1
C
3
B
2
MAC B
MAC C © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Normal CAM Behavior (3/3)
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
Traffic A -> B
B Is on Port 2
Does Not See
Traffic to B
Traff
ic A
-> B
MAC
Port
A
1
B
2
C
3 © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
CAM Overflow (1/2)
macof tool since 1999
About 100 lines of perl
Included in dsniff
Attack successful by exploiting the size limit on
CAM tables
Yersiniaflavor of the month attack tool © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
CAM Overflow (2/2)
I Am
MAC Y
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MAC
Port
A
1
B
2
C
3
Y Is on Port 3
Z Is on Port 3
Y
3
Z
3
Traffic A -> B
I See Traffic to B!
Assume CAM Table Now Full
I Am
MAC Z
Traff
ic A -> B
Traffi
c A -
> B © 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Mac Flooding Switches with macof
macof i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512
Macof sends random source MAC and IP addresses
Much more aggressive if you