Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...
Transcript of Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...
-
1/
Basic L2 and L3 security in Campus networks
Matěj Grégr
CNMS 2016
-
2
Communication in IPv4 network
�Assigning IPv4 address using DHCPv4
�Finding a MAC address of a default gateway
�Finding mapping between DNS name and IP address
�TCP connection
�HTTP request
-
3/
DHCP Spoofing
-
4
-
5
DHCP spoofing
�Steal an IP address of another device
�Forge DNS sever
�Forge default gateway
�Several softwares „available“� Trojan.Flush.M ,
� Trojan:W32/DNSChanger
-
6
DHCP spoofing
DHCP Discover
ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP server
Attacker
-
7
DHCP spoofingDHCP Offer
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP Offer
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3
Attacker
DHCP server
-
8
DHCP spoofing
�The attack can compromise only newly connecting clients� Already connected clients renew address old DHCP server
�There are two variants of the attack:� Attacker can exhaust address pool of DHCP server
� Attacker can try to answer quicker than DHCP server
� If a client assign an address from attacker’s DHCP pool� MitM attack – all traffic flows through the attacker
� Attacker can forge only specific DNS addresses (harder to detect)
-
9
Defense: DHCP snooping
DHCP Discover
ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
-
10
Defense: DHCP spoofingDHCP Offer
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: ?
DHCP Offer
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3
-
11
DHCP snooping example configuration
-
12/
CAM overflow
-
13
-
14
CAM Overflow Attack
Port MAC
2 W
2 X
2 Y
2 Z
1
2 4
3PC: A
PC: B
PC: C
PC: D
-
15
CAM Overflow attack
Port MAC
2 W
2 X
2 Y
2 Z
1
2 4
3PC: A
PC: B
PC: C
PC: D
A -> C?Don‘t know, can‘t insert!
-
16
CAM Table
� Implementation dependent� Older records usually are not deleted
Platform Size
Cisco Catalyst 2950 8 000
Cisco Catalyst 3560 12 000
Cisco Catalyst 3750 12 000
Linksys SRW224 4 000
Module to Cisco Catalyst 6500 128 000
HP ProCurve 2610 8 000
HP ProCurve 1400 8 000
-
17
CAM overflow defese – Port security
�Limited number of MAC addresses per port
Switch# show port-security interface fa 0/1Violation Mode :ShutdownMaximum MAC addresses :2…
Switch# show port-security interface fa 0/1 addrVlan Mac Address Type Ports----- ------------- ------------ -----1 CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1
-
18
CAM overflow defese – Port security
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4
ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: FF:FF:FF:FF:FF:FF …
-
19
Example of the attack
-
20
Impact of Port Security defense
�Filtration is usually in HW without performance impact
� If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong� It is better to configure less restrictive policy – only drop and inform
the admin, but do not shut down the port
-
21/
ARP spoofing
-
22
-
23
Normal behavior
IP MAC
C C
IP MAC
A A
-
24
ARP MitM
IP MAC IP MAC
IP MAC
C C
A A
-
25
ARP MitM : Cache poisoning ①
IP MAC IP MAC
IP MAC
C C
A A
Sender HW addres: B
Sender proto address: C
Target HW address: A
Target proto address A
-
26
ARP MitM : Cache poisoning ②
IP MAC
C B
IP MAC
IP MAC
C C
A A
-
27
ARP MitM : Cache poisoning ③
IP MAC
C B
IP MAC
IP MAC
C C
A A
Sender HW addres: B
Sender proto address: A
Target HW address: C
Target proto address C
-
28
ARP MitM : Cache poisoning ④
IP MAC
C B
IP MAC
A B
IP MAC
C C
A A
-
29
ARP MitM : Forwarding ③
IP MAC
C B
IP MAC
A B
IP MAC
C C
A A
-
30
Dynamic ARP Inspection
�Port security cannot be used for mitigation� Does not look further than L2 header
�DHCP snooping mechanism can be reused� DHCP snooping can create MAC-IP-Port binding
�Dynamic ARP Inspection tests only ARP packets� Does not provent IP spoofing
Switch# show ip source bindingMacAddress IpAddress Lease(sec) Type VLAN Interfa ce------------------ ------------ ---------- ----------- -- ---- ----------CC:CC:CC:CC:CC:CC 192.168.0.3 6522 dhcp-snooping 1 Fast Ethernet2/1
-
31
Dynamic ARP Inspection
MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254
MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3
MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2
MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4
ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: FF:FF:FF:FF:FF:FF ARP ReplySender MAC: CC:CC:CC:CC:CC:CCSender IP: 192.168.0.4Target MAC: AA:AA:AA:AA:AA:AATarget IP: 192.168.0.4
Switch# show ip source bindingMacAddress IpAddress------------------ ------------CC:CC:CC:CC:CC:CC 192.168.0.3
-
32/
IPv6
-
33
IPv6
�Different methods of autoconfiguration� Stateless address autoconfiguration
� DHCPv6
�A network interface can have several IPv6 addresses
-
34
Link local address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
Neighbor Solicitation
src: ::dst: ff02::1:ff21:ee49 (solicitated node)
Target address: fe80::c9ee:98f6:d621:ee49
A B
LL: fe80:: c9ee:98f6:d621:ee49 [TENT]
-
35
MLD Report
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
Multicast Listener Report v2
src: ::dst: ff02::16 (All MLDv2-capable routers)
Hop-by-hop – Router Alert
Changed to exclude: ff02::1:ff21:ee49
A B
LL: fe80::c9ee:98f6:d621:ee49 [TENT]
-
36
Global address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
ALL: fe80::c9ee:98f6:d621:ee49
B
Router Solicitation
src: fe80::c9ee:98f6:d621:ee49dst: ff02::2 (All Routers)
-
37
Global address
RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1
ALL: fe80::c9ee:98f6:d621:ee49GL: 2001:67c:1220:80e : d4a3:cd1b:bac:942b [TENT]
B
Router Advertisement
src: fe80::204:96ff:fe1d:4e30dst: ff02::1 (All Nodes)M: 0O: 0
Prefix InformationPrfLen: 64A: 1Prefix: 2001:67c:1220:80e ::
-
38
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
-
39
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
MLDv2MLDv2 G: ff02::1:ff4b:d6:e3
G: ff02::1:ff4b:d6:e3
-
40
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
DADDAD
-
41
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
SLAACSLAAC
-
42
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
DHCPv6DHCPv6
-
43
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
MLDv2MLDv2 G: ff02::1:ffb0:5ec2
G: ff02::1:ffb0:5ec2
-
44
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
NDND
-
45
IPv6 address autoconfiguration
�DAD, RS/RA, DHCPv6, MLDv2, ND
TCP handshake
-
46
IPv6 L2, L3 security
� Similar attacks as in IPv4 world with some exceptions� DAD, RA Flood, RA MitM
� Port-security can be used for mitigation CAM overflow similar to IPv4
� Three protocols must be secured (MLD, NDP, DHCPv6)
-
47
ND snooping
� Switch creates binding between port-MAC-IPv6 address based on DAD process
� Beware! � Different vendors have different behavior!� First come first serve approach!
� Opens DoS attack vector – address is registred on an attacker
Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created
(truncated output)
IPv6 address Link-Layer addr Interface vlan age state Time left
ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 86999 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 85533 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 272 s
-
48
DHCPv6 Guard
�Similar to DHCPv6 snooping feature� Based on assigned IPv6 address, switch creates and maintains
binding table
Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created
(truncated output)
IPv6 address Link-Layer addr Interface vlan age state Time left
ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 869 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 855 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 172 sDH 2001:DB8::E1B9 28D2.4448.E276 Gi1/15 1 3m n REACHABLE 67 s
-
49
RA Guard
�Protect against rogue RA messages – similar feature as DHCP snooping
-
50/
Summary
-
51
�Both IP protocols must be secured!
�Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough!
�To secure your network, you should at least configure:� DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND
snooping, RA guard