MAC address flooding
An attack using MAC address flooding. The attacker tries to exhaust the switch's memory allocated for storing the MAC address table (CAM table) by sending a large number of frames with unique (invalid) source MAC addresses. When the CAM table is full, no new entries are created. Unicast communication intended for a target MAC address not found in the CAM table is sent to all ports except the incoming one (acting like a hub, the traffic is broadcast).
This attack is used to make the attacker's station receive traffic not intended for it. Additionally, it increases overall network traffic and can result in excessive switch load, making it a DoS attack (Denial Of Service).
Defense: Port Security or Port Based Authentication
VLAN hopping
VLAN hopping is an attack where the attacker tries to access traffic on a different VLAN (which they should not have access to). It exploits the tagging protocol IEEE 802.1q and involves either Switch Spoofing or Double Tagging.
Switch Spoofing involves the attacker's station pretending to be a switch and gaining access to trunk data, where multiple VLANs (or all) are transmitted. This can involve exploiting the DTP (Dynamic Trunking Protocol) to negotiate a trunk on their port.
Double Tagging sends frames with two 802.1q tags. The switch receives the frame, the first tag is for its correct VLAN, it is removed, but the frame is not further checked and is processed by the switch as if it were in the first VLAN. If there is a trunk port with the same native VLAN as the user's port, the frame is sent untagged, but it already has a tag directing it to another VLAN. The second switch removes the second tag, and the frame travels in the new VLAN.
Defense: set ports to switchport mode access (prevent DTP), place unused ports in a non-routable VLAN, do not use native VLAN (set it to an unused VLAN)
ARP spoofing / poisoning
This attack attempts to redirect traffic to the attacking station using fake ARP messages. The ARP (Address Resolution Protocol) is very old and lacks built-in security or verification mechanisms.
For communication within a subnet, the target MAC address is needed, but usually, only the IP address is known. Therefore, an ARP request is sent as a broadcast asking who has the given IP. The station with the sought IP address should respond with an ARP message. The client then stores this information in the local ARP cache. The ARP protocol also uses unsolicited ARP responses called Gratuitous ARP (GARP). Using a GARP message (or in certain situations a normal ARP response), we can easily spoof our MAC address to a specific IP.
This technique is often used for a Man in the Middle attack, where we spoof the gateway address, then receive all traffic outside the subnet, can forward it to the standard gateway, and monitor/modify all information. The spoofed information (IP and MAC combination) is stored in the client's ARP cache and the switch's CAM table.
Defense: use Private VLAN or ARP Inspection
Dynamic ARP Inspection - DAI
This is a security feature that prevents forwarding invalid ARP requests and responses to other switch ports in the same VLAN. This method requires DHCP Snooping to be used on switches and a DHCP snooping binding database to be created, containing assigned IP and MAC addresses. Alternatively, ARP ACLs can be used, where this combination is manually entered.
One function of DAI is to check all ARP traffic coming to the port and discard frames where the information does not match the stored IP and MAC address combinations. The second function is rate-limiting ARP frames to prevent DoS attacks. If the number of received ARP packets exceeds (by default) 15 per second, the port switches to error-disabled state.
DAI uses two interface states: trusted, where no checks are performed, and untrusted, where all ARP frames are checked. By default, DAI is disabled for all VLANs, and all interfaces are in the untrusted state. DAI operates per VLAN.
DAI checks only on ingress and can be applied to access, trunk, or EtherChannel ports. It is recommended to set DAI on all access (end) ports as untrusted and on trunk ports between switches as trusted. Configuration must be done carefully. The DHCP snooping binding database is local to the switch/stack, so if a trunk port from another switch is not set to trusted, everything will be filtered. Or if DAI is not enabled on the other switch and the trunk is trusted, ARP poisoning can occur on the filtered switch.
Additionally, we can check incoming ARP packets to see if the source MAC address matches the sender's MAC in the ARP body for ARP requests and responses, or the destination MAC in the frame for responses. IP address checks can also be performed.
DAI Configuration in Cisco IOS
Enable DAI by specifying the VLANs where it should be allowed.
SWITCH(config)#ip arp inspection vlan 100,200
Trusted ports must be switched to the trust state.
SWITCH(config-if)#ip arp inspection trust
DHCP snooping binding database configuration is described in the article on DHCP on the switch. If we want to use static entries, we must configure ARP ACL.
SWITCH(config)#arp access-list ARPtest SWITCH(config-arp-acl)#permit ip host 192.168.1.10 mac host 0011.70f1.e051
After configuring the ARP ACL, we must apply it to a specific VLAN.
SWITCH(config)#ip arp inspection filter ARPtest vlan 100
Commands that display various information about DAI.
SWITCH#show ip arp inspection interfaces SWITCH#show ip dhcp snooping binding SWITCH#show ip arp inspection vlan 100,200 SWITCH#show ip arp inspection statistics vlan 100,200
References
- Description of Port Security is in the article Cisco IOS 3 - interface/port settings - access, trunk, port security
- Port Based Authentication, i.e., IEEE 802.1x protocol, is briefly described in Cisco IOS 11 - IEEE 802.1x, port authentication, MS IAS
- VLAN and DTP protocol configuration - Cisco IOS 7 - VLAN configuration, VTP
- technology Private VLAN - Cisco IOS 19 - Private VLAN and Protected Port
- DHCP Snooping - Cisco IOS 13 - DHCP services on the switch
- description of attacks on switches Cisco website - VLAN Security White Paper
Ahoj,
mám dotaz: co myslíš tím "nepoužívat native VLAN (nastavit ji na nepoužívanou VLAN)"? Jak se to provede?
Dík
respond to [1]Honza: Já to dělám tak, jak jsem to zde popisoval na několika místech.
VLAN 1 nepoužívám pro žádné přístupy. Jsou do ní zapojeny všechny nepoužívané porty (ty jsou shutdown-ované). SVI pro VLAN 1 je shutdown. Native VLAN nechávám defaultně, to znamená, že je to VLAN 1. V ní ale nikdo nekomunikuje.
respond to [1]Honza: nastavuji uplně jinou nativní vlan pro trunk propoje (i podle toho co je tam zapojeno, jina nat vlan sw-sw, jiná nat vlan sw-server, atd), pro porty kde neni nic zapojeno v dobrem vedomi a svedomi pouzivam jinou vlan nez id 1 a porty jsou i shutnuté, pokud jsou to access porty pro stanice tak tam uz mi to resi 802.1X a porty nejsou shutnute. příkladne zasuvka pro stanici:
interface GigabitEthernet1/0/5
description --> 01-03-03
switchport access vlan 999
switchport mode access
switchport nonegotiate
switchport block multicast
switchport port-security
switchport port-security aging time 1440
authentication event fail action authorize vlan 108
authentication event server dead action authorize vlan 108
authentication event no-response action authorize vlan 108
authentication event server alive action reinitialize
authentication order dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 30
authentication timer reauthenticate 28800
authentication timer inactivity 36000
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
dot1x timeout start-period 3
storm-control broadcast level 10.00 5.00
storm-control unicast level 10.00 5.00
no keepalive
no cdp enable
u PoE pro telefony pouzivam jediny rozdil v priorite autentizace ze nejdriv mab a pak dot1x, pač telefony jsou na mac via AD/IAS