【正文】 sted DHCP Snooping Enabled BAD DHCP Responses: offer, ack, nak OK DHCP Responses: offer, ack, nak 數(shù)據(jù)鏈路層安全 ? VLAN Hopping攻擊； ? MAC/IP欺騙攻擊； ? DHCP服務(wù)器攻擊； ? CAM表溢出攻擊； ? Spanning Tree攻擊； ? ARP攻擊； MAC地址 /CAM表 ? CAM table stands for Content Addressable Memory ? The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters ? CAM tables have a fixed size 48 Bit Hexadecimal Number Creates Unique Layer Two Address First 24 bits = Manufacture Code Assigned by IEEE Second 24 bits = Specific Interface, Assigned by Manufacture All F‘s = Broadcast CAM表正常通信 1/3 MAC A MAC B MAC C Port 1 Port 2 Port 3 MAC Port A 1 C 3 ARP for B B Is Unknown— Flood the Frame CAM表正常通信 2/3 MAC A MAC B MAC C Port 1 Port 2 Port 3 A Is on Port 1 Learn: B Is on Port 2 I Am MAC B MAC Port A 1 C 3 B 2 CAM表正常通信 3/3 MAC A MAC B MAC C Port 1 Port 2 Port 3 Traffic A B B Is on Port 2 Does Not See Traffic to B MAC Port A 1 B 2 C 3 CAM表溢出 1/3 ? Macof tool since 1999 ? About 100 lines of perl ? Included in ―dsniff‖ ? Attack successful by exploiting the size limit on CAM tables CAM表溢出 2/3 MAC A MAC B MAC C Port 1 Port 2 Port 3 MAC Port A 1 B 2 C 3 Y Is on Port 3 Z Is on Port 3 Y 3 Z 3Traffic A B I See Traffic to B! Assume CAM Table Now Full Macof洪流 ? Macof sends random source MAC and IP addresses ? Much more aggressive if you run the mand ? ―macof i eth1 2 /dev/null‖ ? macof (part of dsniff)— macof –i eth1 36:a1:48:63:81:70 15:26:8d:4d:28:f8 : S 1094191437:1094191437(0) win 512 16:e8:8:0:4d:9c da:4d:bc:7c:ef:be : S 446486755:446486755(0) win 512 18:2a:de:56:38:71 33:af:9b:5:a6:97 : S 105051945:105051945(0) win 512 e7:5c:97:42:ec:1 83:73:1a:32:20:93 : S 1838062028:1838062028(0) win 512 62:69:d3:1c:79:ef 80:13:35:4:cb:d0 : S 1792413296:1792413296(0) win 512 c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe : S 1018924173:1018924173(0) win 512 88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb : S 727776406:727776406(0) win 512 b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf : S 605528173:605528173(0) win 512 e0:d8:1e:74:1:e 57:98:b6:5a:fa:de : S 2128143986:2128143986(0) win 512 CAM表滿了 ! ? Each switch has a limit on CAM tables； ? Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN ? This will turn a VLAN on a switch basically into a hub； ? This attack will also fill the CAM tables of adjacent switches； (broadcast) ARP C Who is , ? (broadcast) ARP C Who is , ? ICMP Echo request (ID: 256 Sequence number: 7424) ? OOPS ICMP Echo reply (ID: 256 Sequence number: 7424) ? OOPS MAC攻擊對策 ? Port security limits MAC flooding attack and locks down port and sends an SNMP trap 00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb 132,000 Bogus MACs Only Three MAC Addresses Allowed on the Port: Shutdown Solution: Port Security Limits the Amount of MAC‘s on an Interface 數(shù)據(jù)鏈路層安全 ? VLAN Hopping攻擊； ? MAC/IP欺騙攻擊； ? DHCP服務(wù)器攻擊； ? CAM表溢出攻擊； ? Spanning Tree攻擊； ? ARP攻擊； Spanning Tree協(xié)議回顧 ? STP Purpose: To maintain loopfree topologies in a redundant Layer 2 infrastructure A ?TreeLike‘ LoopFree Topology Is Established from the Perspective of the Root Bridge A Switch Is Elected as Root Root Selection Is Based on the Lowest Configured Priority of Any Switch 0–65535 X Root ? STP is very simple。 messages are sent using Bridge Protocol Data Units (BPDUs)。 basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA)。 most have no ―payload‖ ? Avoiding loops ensures broadcast traffic does not bee storms Spanning Tree攻擊舉例 Access Switches Root Root X Blocked ? Send BPDU messages to bee root bridge Spanning Tree攻擊舉例 ? Send BPDU messages to bee root bridge ?The attacker then sees frames he shouldn‘t ?MITM, DoS, etc. all possible ?Any attack is very sensitive to the original topology, trunking, PVST, etc. ?Although STP takes link speed into consideration, it is always done from the perspective of the root bridge。 taking a Gb backbone to halfduplex 10 Mb was verified ?Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host) Access Switches Root Root Root X Blocked STP攻擊對策 ? Try to design loopfree topologies where ever possible, so you do not need STP； ? Don‘t disable STP, introducing a loop would bee another attack； ? BPDU Guard ? Should be run on all user facing ports and infrastructure facing ports ? Disables ports using portfast upon detection of a BPDU message on the port ? Globally enabled on all ports running portfast ? Root Guard ? Disables ports who would bee the root bridge due to their BPDU advertisement ? Configured on a per port basis； 數(shù)據(jù)鏈路層安全 ? VLAN Hopping攻擊； ? MAC/IP欺騙攻擊； ? DHCP服務(wù)器攻擊； ? CAM表溢出攻擊； ? Spanning Tree攻擊； ? ARP攻擊； ARP功能回顧 ? Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address； ? This ARP request is broadcast using protocol 0806； ? All puters on the sub will receive and process the ARP request。 the station that matches the IP address in the request will send an ARP reply Who Is ? I Am MAC A ARP功能回顧 ? According to the ARP RFC, a client is allowed to send an unsolicited ARP reply。 this is called a gratuitous ARP。 other hosts on the same sub can store this information in their ARP tables； ? Anyone can claim to be the owner of any IP/MAC address they like； ? ARP attacks use this to redir