【文章內(nèi)容簡介】 Presentation_ID Countermeasures for MAC Attacks 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 132,000 Bogus MACs Only 3 MAC Addresses Allowed on the Port: Shutdown Solution: ? Port security limits MAC flooding attack and locks down port and sends an SNMP trap Port Security Limits the Amount of MAC?s on an Interface 30 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID Port Security: Example Config ? 3 MAC addresses enpass the phone, the switch in the phone, and the PC ? “Restrict” rather then “error disable” to allow only 3, and log more then 3 CatOS set port security 5/1 enable set port security 5/1 port max 3 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timertype inactivity IOS switchport portsecurity switchport portsecurity maximum 3 switchport portsecurity violation restrict switchport portsecurity aging time 2 switchport portsecurity aging type inactivity 31 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Session Number Presentation_ID VLAN “Hopping” Attacks 32 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID Trunk Port Refresher ? Trunk ports have access to all VLANs by default ? Used to route traffic for multiple VLANs across the same physical link (generally used between switches) ? Encapsulation can be or ISL Trunk Port 33 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID Disabling AutoTrunking ? Defaults change depending on switch。 always check: From the Cisco docs: “The default mode is dependent on the platform…” To check from the CLI: CatOS (enable) set trunk mod/port off or CatOS (enable) set port host mod/port IOS(configif)switchport mode access CatOS (enable) show trunk [mod|mod/port] IOS show interface type number switchport 34 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID ATTACKS AND COUNTERMEASURES: DHCP ATTACKS 35 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID DHCP Function: High Level ? Server dynamically assigns IP address on demand ? Administrator creates pools of addresses available for assignment ? Address is assigned with lease time ? DHCP delivers other configuration information in options DHCP Server Send My Configuration Information Client IP Address: Sub Mask: Default Routers: DNS Servers: , Lease Time: 10 days Here Is Your Configuration 36 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID DHCP Attack Types DHCP Starvation Attack DHCP Discovery (Broadcast) x (Size of Scope) DHCP Offer (Unicast) x (Size of DHCPScope) DHCP Request (Broadcast) x (Size of Scope) DHCP Ack (Unicast) x (Size of Scope) Client Gobbler ? Gobbler looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope ? This is a Denial of Service DoS attack using DHCP leases DHCP Server 37 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security ? Gobbler uses a new MAC address to request a new DHCP lease ? Restrict the number of MAC addresses on an port ? Will not be able to lease more IP address then MAC addresses allowed on the port ? In the example the attacker would get 1 IP address from the DHCP server Client Gobbler DHCP Server CatOS set port security 5/1 enable set port security 5/1 port max 1 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timertype inactivity IOS switchport portsecurity switchport portsecurity maximum 1 switchport portsecurity violation restrict switchport portsecurity aging time 2 switchport portsecurity aging type inactivity 38 169。 2022 Cisco Sy stems, Inc. All rights reserv ed. Presentation_ID Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping ? By default all ports in the vlan are untrusted Client DHCP Server Rogue Server Trusted Untrusted Untrusted DHCP Snooping Enabled DHCP Snooping Untruste