14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Understanding,
Preventing, and Defending
Against Layer 2 Attacks
BRKSEC-2002
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Caveats
All attacks and mitigation techniques assume a switched Ethernet
network running IP
If it is a shared Ethernet access (WLAN, hub, etc.) most of these attacks get
much easier
If you are not using Ethernet as your L2 protocol, some of these attacks may
not work, but chances are, you are vulnerable to different types of attacks
New theoretical attacks can move to practical in days
All testing was done on Cisco Ethernet switches
Ethernet switching attack resilience varies widely from vendor to vendor
This is not a comprehensive talk on configuring Ethernet
switches for security: the focus is mostly access L2 attacks
and their mitigation
These are IPv4 only attacks today, there is a session on IPv6
access security
There are data center sessions for security, this is access ports
for users
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Associated Sessions
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Host A Host B
Application Stream
Application Application
Presentation Presentation
Session Session
Physical Links
Physical Physical
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Application Stream
Application Application
Compromised
Session Session
Physical Links
Physical Physical
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
VLAN 20 VLAN 10
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
VLAN 10
VLAN 20 VLAN 20
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
VLAN 20
VLAN 10
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
IP Phone
PC Voice VLAN Access Setting
Attacker Sends
VLAN 10 Frames
VLAN 10
VLAN 20
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
1234.5678.9ABC
First 24-Bits = Manufacture Code Second 24-Bits = Specific Interface,
Assigned by IEEE Assigned by Manufacture
0000.0cXX.XXXX 0000.0cXX.XXXX
All Fs = Broadcast
FFFF.FFFF.FFFF
C 3 Port 2
fo
MAC B
P
AR
ARP for B
Port 1
MAC A Port 3
AR
P
fo
B Is Unknown—
rB
MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
B
AC
Port 2
M
C 3
MAC B
m
IA
I Am MAC B
Port 1
MAC A Port 3
A Is on Port 1
Learn:
B Is on Port 2
MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Port 2
Æ
C 3
A
MAC B
fic
af
Tr
Traffic A Æ B
Port 1
MAC A Port 3
B Is on Port 2
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
C 3 Port 2
A
Y Is on Port 3 MAC B
c
affi
Tr
Traffic A Æ B
Port 1
MAC A Port 3
IA
Im
TAr
Z Is on Port 3
am
Mf
fAiMc
CAA
YCÆ
Z
B
MAC C
I See Traffic to B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
132,000
Bogus MACs
Solution
Port security limits MAC
flooding attack and locks down
port and sends an SNMP trap
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_
DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Port Security
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days
Client
DHCP Discover (Broadcast)
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Filename—128 Bytes
DHCP Options
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Gobbler DHCP
Server
DHCP Discovery (Broadcast) x (Size of Scope)
Gobbler DHCP
Server
Gobbler uses a new MAC Cisco Catalyst OS
address to request a new
DHCP lease
set port security 5/1 enable
set port security 5/1 port max 1
Restrict the number of set port security 5/1 violation restrict
MAC addresses on
a port set port security 5/1 age 2
set port security 5/1 timer-type inactivity
Will not be able to lease Cisco IOS
more IP address then
MAC addresses allowed switchport port-security
on the port switchport port-security maximum 1
switchport port-security violation restrict
In the example the attacker
would get one IP address switchport port-security aging time 2
from the DHCP server switchport port-security aging type inactivity
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
DHCP
Rogue Server
Server
or Unapproved
DHCP Discovery (Broadcast)
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days
Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP Cisco IOS
Responses: Global Commands
offer, ack, nak ip dhcp snooping vlan 4,104
no ip dhcp snooping information option
ip dhcp snooping
Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP
Responses:
offer, ack, nak
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Router DHCP
192.0.2.1 Server
10.1.1.99
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Port Security
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
I Am
10.1.1.4
MAC A
Who Is
10.1.1.4?
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
ettercap: http://ettercap.sourceforge.net/index.php
Some are second or third generation of ARP attack tools
Most have a very nice GUI, and is almost point and click
Packet insertion, many to many ARP attack
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC C Saying
10.1.1.1 Is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
Transmit/Receive
Traffic to Transmit/Receive
10.1.1.2 MAC C Traffic to
10.1.1.1 MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC B Saying
10.1.1.1 Is MAC A
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC A
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 Is MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Cisco IOS
Interface Commands
no ip arp inspection trust
(default)
ip arp inspection limit rate 15
(pps)
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
sh log:
4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2.
4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disable state
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan
183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.2/12:19:27 UTC Wed Apr 19 2000])
4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan
183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.3/12:19:27 UTC Wed Apr 19 2000])
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 Is MAC C Saying
10.1.1.1 Is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is STILL
MAC A—Ignore
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
10.1.1.3
MAC C 10.1.1.2
MAC B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
MAC spoofing
If MACs are used for network access an attacker can gain
access to the network
Also can be used to take over someone’s identity already
on the network
IP spoofing
Ping of death
ICMP unreachable storm
SYN flood
Trusted IP addresses can be spoofed
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
10.1.1.3
MAC C 10.1.1.2
MAC B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
10.1.1.3
MAC C 10.1.1.2
MAC B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
10.1.1.3
MAC C 10.1.1.2
MAC B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
Nonmatching
Is This Is My IP Source Guard
Traffic Sent with DHCP Snooping-
IP 10.1.1.3 NO
Traffic
Binding
Enabled Dynamic Operates just like
Mac B Dropped
Table? dynamic ARP
ARP Inspection-
Enabled IP Source inspection, but looks
Guard-Enabled at every packet, not
just ARP packet
10.1.1.3
MAC C
10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Received Traffic Mac C
Source IP
10.1.1.2
Mac B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
Cisco IOS
Cisco IOS
Global Commands
Global Commands
ip dhcp snooping vlan 4,104
ip dhcp snooping vlan 4,104
ip dhcp snooping information option
no ip dhcp snooping information option
ip dhcp snooping
ip dhcp snooping
Interface Commands
Interface Commands
ip verify source vlan dhcp-snooping
ip verify source vlan dhcp-snooping
port-security
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
STP
ST
X Blocked
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Root Guard
Disables ports who would become the root bridge due to their
BPDU advertisement
Configured on a per port basis
Available in Cisco Catalyst OS 6.1.1 for Cisco Catalyst 29XX,
Cisco Catalyst 4000 Series, Cisco Catalyst 5000 Series, Cisco
Catalyst 6000 Series; 12.0(7) XE for native Cisco IOS 6000
Series, 12.1(8a)EW for 4K Cisco IOS; 29/3500XL in 12.0(5)XU;
3550 in 12.1(4)EA1; 2950 in 12.1(6)EA2
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
CDP Attacks
Besides the information gathering benefit CDP offers an
attacker, there was a vulnerability in CDP that allowed Cisco
devices to run out of memory and potentially crash if you
sent it tons of bogus CDP packets
If you need to run CDP, be sure to use Cisco IOS code with
minimum version numbers: 12.2(3.6)B, 12.2(4.1)S,
12.2(3.6)PB, 12.2(3.6)T, 12.1(10.1), 12.2(3.6) or Cisco
Catalyst OS code 6.3, 5.5, or 7.1 and later
Problem was due to improper memory allocation for the
CDP process (basically there was no upper limit)
For more information
http://www.cisco.com/warp/public/707/cdp_issue.shtml
http://www.kb.cert.org/vuls/id/139491
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
VLAN 10
VLAN 20 VLAN 20
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
Phone Sends
CDP
Agenda
Summary
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
If violation error-disable, the following log message will be produced: 4w6d: %PM-4-ERR_
DISABLE: Psecure-Violation Error Detected on Gi3/2, Putting Gi3/2 in Err-Disable State
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Untrusted
OK DHCP DHCP
Responses:
Rogue Server offer, ack, nak Server
BAD DHCP
Responses:
offer, ack, nak
10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 Is MAC C
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
10.1.1.3
MAC C 10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Received Traffic Mac C
Source IP
10.1.1.2
Mac B
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110
Dynamic Port
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
Security
Per VLAN 12.2(31)SGA
Dynamic Roadmapped* Roadmapped* N/A
Port Security ***
DHCP 12.1(12c)EW
8.3(1) 12.2(18)SXE* N/A
Snooping ***
12.1(19)EW
DAI 8.3(1) 12.2(18)SXE* N/A
***
12.1(19)EW
IP Source Guard 8.3(1)** 12.2(18)SXD2 N/A
***
3750/3560
Feature/Platform 3550 EMI 2960 EI 2950 EI 2950 SI
EMI
Note: Old names of the Cisco IOS for the 3000 Series switches
Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112
Dynamic Port
12.1(25)SE 12.2(25)SEA 12.1(25)SEA 12.2(25)SEA
Security
Per VLAN
Dynamic 12.2(37)SE N/A 12.2(37)SEA N/A
Port Security
DHCP
12.1(25)SE 12.1(25)SEA 12.1(25)SEA 12.1(25)SEA
Snooping
Note: Name change of the Cisco IOS on the 3000 Series switches
Cisco IOS feature finder: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113
Q and A
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118
BRKSEC-2002
14352_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120