* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download DHCP snooping
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Wireless security wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Network tap wikipedia , lookup
Distributed firewall wikipedia , lookup
Transcript
Data Link Layer Security Lecture 3 Supakorn Kungpisdan [email protected] Roadmap Attacking Data Link Layer Defending Your Network from Sniffers Employing Detection Techniques NETE4630: Advanced Network Security and Implementation 2 Task: MAC Address Spoofing What is MAC address spoofing? What is its purpose? Explain how it works NETE4630: Advanced Network Security and Implementation 3 Passive VS Active Sniffing Passive sniffing involves using a sniffer (Ethereal or TCPdump) to monitor incoming packets Passive sniffing relies on a feature of network cards called promiscuous mode When placed in promiscuous mode, a network card will pass all packets on to the operating system, rather than just those unicast or broadcast to the host However, passive sniffing does not work well in a switched network The attacker can sniff traffic within his/her VLAN NETE4630: Advanced Network Security and Implementation 4 Active Sniffing Active sniffing relies on injecting packets into the network that causes traffic that should not be sent to your system, to be sent to your system Active sniffing is required to bypass the segmentation that switches provide In wireless networks, passive sniffing involves sending no packets, and monitoring the packets sent by others. Active wireless sniffing involves sending out multiple network probes to identify APs NETE4630: Advanced Network Security and Implementation 5 ARP Poisoning Performing active sniffing on switches Ethernet NETE4630: Advanced Network Security and Implementation 6 ARP Poisoning (cont.) By spoofing the default gateway’s IP address, all hosts on the subnet will router through the attacker’s machine You have to poison the ARP cache of every host on the subnet Better if targeting a single host on the network Should not spoof the IP of another client To perform ARP poisoning, # arp –s <victim IP> <our MAC address> pub Alternatively, use Cain and Abel NETE4630: Advanced Network Security and Implementation 7 Cain and Abel NETE4630: Advanced Network Security and Implementation 8 WinArpAttacker NETE4630: Advanced Network Security and Implementation 9 ARP Flooding ARP flooding is another ARP Cache Poisoning technique aimed at network switches Aka CAM Table Overflow attack Some switches will drop into a hub-like mode when the CAM table is flooded CAM (Content Addressable Memory) is a physical part of a switch CAM stores information about MAC addresses available on each physical port and their associated VLAN parameters CAM is a normal memory limited in size Can also use WinArpAttacker to perform ARP Flood NETE4630: Advanced Network Security and Implementation 10 ARP Flooding (cont.) In 1999, Ian Vitek created a tool called macof, later integrated in dsniff, which floods with invalid source MAC addresses (up to 155,000/minute) This quickly fills up the CAM table of the switch to which the computer running this tool is connected, and also the adjacent switches The switch is too busy to enforce its port security and broadcasts all traffic to every port in the network Thus making possible a MITM attack – the attacker can start sniffing network traffic NETE4630: Advanced Network Security and Implementation 11 DHCP NETE4630: Advanced Network Security and Implementation 12 DHCP Starvation Attack Consuming the IP address space allocated by a DHCP server An attacker broadcasts a large number of DHCP requests using spoofed MAC addresses The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients Leads to DoS NETE4630: Advanced Network Security and Implementation 13 Rogue DHCP Server Set up a rogue DHCP server serving clients with false details E.g. giving them its own IP as default router Result in all the traffic passing through the attacker’s computer Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive Both attacks can be accomplished using gobbler NETE4630: Advanced Network Security and Implementation 14 Preventing DHCP Attacks DHCP Starvation Attack can be prevented by using port security features that don’t allow more than X MAC addresses on one port Rogue DHCP is more difficult to prevent May implement “Authentication for DHCP Messages” (RFC3118) Some smart and expensive switches have “DHCP snooping” functions which filters DHCP messages from non-trusted hosts It contains database of trusted and untrusted interfaces NETE4630: Advanced Network Security and Implementation 15 DHCP Snooping DHCP snooping provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network DHCP snooping binding table contains : MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch NETE4630: Advanced Network Security and Implementation 16 DHCP Snooping (cont.) An untrusted interface is an interface that is configured to receive messages from outside the network or firewall A trusted interface is an interface that is configured to receive only messages from within the network DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. DHCP snooping is used to prevent rogue DHCP server If the DHCPOFFER came from an untrusted interface, the switch shuts down the port The switch trusts the interface to which the authorized DHCP server is connected NETE4630: Advanced Network Security and Implementation 17 Enabling DHCP Snooping NETE4630: Advanced Network Security and Implementation 18 Adding Information to DHCP Snooping DB NETE4630: Advanced Network Security and Implementation 19 IP Source Guard IP Source Guard is enabled on a DHCP snooping untrusted Layer 2 port For each untrusted Layer 2 port, there are two levels of IP traffic security filtering: Source IP address filter: IP traffic is filtered based on its source IP address. Only IP traffic with a source IP address that matches the IP source binding entry is permitted Source IP and MAC address filter: IP traffic is filtered based on its source IP address and its MAC address; only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted NETE4630: Advanced Network Security and Implementation 20 Configuring IP Source Guard NETE4630: Advanced Network Security and Implementation 21 Dynamic ARP Inspection For cisco devices, it is called Dynamic ARP Inspection (DAI) DAI is a security feature that validates ARP packets in a network It intercepts, log, and discards ARP packets with invalid IP-to-MAC address bindings. DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities: 1. Intercepts all ARP requests and responses on untrusted ports 2. Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination 3. Drops invalid packets NETE4630: Advanced Network Security and Implementation 22 DAI (cont.) DAI determines the validity of an ARP packet based on IP-toMAC address bindings stored in a trusted database, the DHCP snooping binding database In non-DHCP environments, DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks NETE4630: Advanced Network Security and Implementation 23 DAI (cont.) By default, all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch in the trusted interface For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating local cache and before forwarding the packet to the appropriate destination Firstly it checks from ARP access control list If no such ACL, check from DHCP snooping database NETE4630: Advanced Network Security and Implementation 24 DAI (cont.) NETE4630: Advanced Network Security and Implementation 25 Configuring DAI in DHCP Environments Both Switch A and B are running DAI on VLAN1 where the hosts are located A DHCP server is connected to Switch A. both hosts acquire IP addresses from the same DHCP server Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2 NETE4630: Advanced Network Security and Implementation 26 Configuring ARP ACLs in non-DHCP Environments Switch B does not support DAI or DHCP snooping, but Switch A does If configuring port 1 on Switch A as trusted, a security hole is created because Switch A and Host 1 could be attacked by either Switch B or Host 2 Thus, configure port 1 on Switch A as untrusted If the IP address of Host 2 is not static, such that it is impossible to apply the ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use router to route packets between them NETE4630: Advanced Network Security and Implementation 27 Configuring ARP ACLs in non-DHCP Environments (cont.) NETE4630: Advanced Network Security and Implementation 28 Routing Games One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor Sending a fake route advertisement via the RIP, declaring yourself as the default gateway All outbound traffic will pass though your host then go to the real default gateway But may not receive returned traffic unless you can modify the default gateway’s routing table NETE4630: Advanced Network Security and Implementation 29 Cracking WEP WEP is based on RC4 cipher RC4 is a stream cipher RC4 itself is very secure; it is employed by the military for use in highly sensitive operations However vendors made a mistake while implementing the WEP protocol They reuse the Initialization Vector NETE4630: Advanced Network Security and Implementation 30 RC4 Operation NETE4630: Advanced Network Security and Implementation 31 Wireless Active Attacks Active wireless attacks encompass spoofing and DoS attacks Spoofing: Use Netstumbler to identify the MAC address of the victim and modify one’s MAC address to match it DoS: sending multiple control packets to a wireless network NETE4630: Advanced Network Security and Implementation 32 Jamming Attacks Jamming attacks rely on using radio frequency to interfere with wireless transmissions This will effectively perform a DoS attack on the wireless network NETE4630: Advanced Network Security and Implementation 33 MITM Attacks Setting your wireless card up in an identical configuration as an existing hotspot (including spoofed SSID) A client is unable to distinguish the legitimate AP from your spoofed AP without running additional authentication protocols on top of the wireless media. NETE4630: Advanced Network Security and Implementation 34 Roadmap Attacking Data Link Layer Defending Your Network from Sniffers Employing Detection Techniques NETE4630: Advanced Network Security and Implementation 35 Using Encryption The use of encryption, assuming its mechanism is valid, will thwart any attacker attempting to passively monitor the network IPSec and OpenVPN However, these technologies are not widely used on the internet outside of large enterprises SSH, SSL, PGP, S/MIME NETE4630: Advanced Network Security and Implementation 36 Secure Shell (SSH) A cryptographic secure replacement of the standard UNIX Telnet, Remote Login (rlogin), Remote Shell (RSH), and Remote Copy Protocol (RCP) commands It consists of both a client and a server that use public-key cryptography to provide session encryption OpenSSH, PuTTY NETE4630: Advanced Network Security and Implementation 37 Roadmap Attacking Data Link Layer Defending Your Network from Sniffers Employing Detection Techniques NETE4630: Advanced Network Security and Implementation 38 Local Detection Many OS provide a mechanism to determine whether a network interface is running in promiscuous mode Using ifconfig command on UNIX However, if the host is compromised, an attacker may replace ifconfig command with the one that does not report interfaces in promiscuous mode NETE4630: Advanced Network Security and Implementation 39 Local Detection (cont.) NETE4630: Advanced Network Security and Implementation 40 Network Detection: DNS Lookups Performing reverse DNS lookup possibly can find a sniffing host Forward DNS lookup: resolve IP from given hostname Reverse DNS lookup: resolve hostname from given IP Monitor the network for hosts that are performing a large number of address lookups alone Generate a false network connection from a non-active address. Then we can monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host NETE4630: Advanced Network Security and Implementation 41 Network Detection: Latency Detect latency variation in the host’s response to network traffic (i.e. ping) Start with probing (by pinging) a suspected host initially, then sample the response time Generate a large amount of network traffic Probe the host again and sample the response time 1. 2. 3. • If the response time changes significantly, the host may potentially be a monitoring host NETE4630: Advanced Network Security and Implementation 42 Network Detection: Driver Bugs In some Linux OS, there is a bug in a common Ethernet driver If the host is running in promiscuous mode, the OS failed to perform Ethernet address checks Normally, packets with invalid MAC address would have been dropped at the data-link layer. If the host is running in promiscuous mode, it will not drop the packet with invalid MAC address Try sending an ICMP ping request to the host, with a valid IP address and an invalid MAC address. If the host responded to this ping request, it was determined to be running in promiscuous mode NETE4630: Advanced Network Security and Implementation 43 To Read Hack-The-Stack: Page 104-123 Quiz: 5% NETE4630: Advanced Network Security and Implementation 44 Question? Next week Network Layer Security MAC Address Spoofing (cont.) Replace a CAM table entry of a known MAC address on another port Cause a switch to send the traffic destined for the port of the attacked computer to the port at which the attacker is connected Cause service disruption and can be used as an MITM attack with the attacker sniffing the packets destined to the attached computer Can be blocked only in the switches, if the switches have facilities for that NETE4630: Advanced Network Security and Implementation 46