Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...

51
1/ Basic L2 and L3 security in Campus networks Matěj Grégr CNMS 2016

Transcript of Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...

  • 1/

    Basic L2 and L3 security in Campus networks

    Matěj Grégr

    CNMS 2016

  • 2

    Communication in IPv4 network

    �Assigning IPv4 address using DHCPv4

    �Finding a MAC address of a default gateway

    �Finding mapping between DNS name and IP address

    �TCP connection

    �HTTP request

  • 3/

    DHCP Spoofing

  • 4

  • 5

    DHCP spoofing

    �Steal an IP address of another device

    �Forge DNS sever

    �Forge default gateway

    �Several softwares „available“� Trojan.Flush.M ,

    � Trojan:W32/DNSChanger

  • 6

    DHCP spoofing

    DHCP Discover

    ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: ?

    DHCP server

    Attacker

  • 7

    DHCP spoofingDHCP Offer

    ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: ?

    DHCP Offer

    ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3

    Attacker

    DHCP server

  • 8

    DHCP spoofing

    �The attack can compromise only newly connecting clients� Already connected clients renew address old DHCP server

    �There are two variants of the attack:� Attacker can exhaust address pool of DHCP server

    � Attacker can try to answer quicker than DHCP server

    � If a client assign an address from attacker’s DHCP pool� MitM attack – all traffic flows through the attacker

    � Attacker can forge only specific DNS addresses (harder to detect)

  • 9

    Defense: DHCP snooping

    DHCP Discover

    ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: ?

  • 10

    Defense: DHCP spoofingDHCP Offer

    ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: ?

    DHCP Offer

    ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3

  • 11

    DHCP snooping example configuration

  • 12/

    CAM overflow

  • 13

  • 14

    CAM Overflow Attack

    Port MAC

    2 W

    2 X

    2 Y

    2 Z

    1

    2 4

    3PC: A

    PC: B

    PC: C

    PC: D

  • 15

    CAM Overflow attack

    Port MAC

    2 W

    2 X

    2 Y

    2 Z

    1

    2 4

    3PC: A

    PC: B

    PC: C

    PC: D

    A -> C?Don‘t know, can‘t insert!

  • 16

    CAM Table

    � Implementation dependent� Older records usually are not deleted

    Platform Size

    Cisco Catalyst 2950 8 000

    Cisco Catalyst 3560 12 000

    Cisco Catalyst 3750 12 000

    Linksys SRW224 4 000

    Module to Cisco Catalyst 6500 128 000

    HP ProCurve 2610 8 000

    HP ProCurve 1400 8 000

  • 17

    CAM overflow defese – Port security

    �Limited number of MAC addresses per port

    Switch# show port-security interface fa 0/1Violation Mode :ShutdownMaximum MAC addresses :2…

    Switch# show port-security interface fa 0/1 addrVlan Mac Address Type Ports----- ------------- ------------ -----1 CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1

  • 18

    CAM overflow defese – Port security

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4

    ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: FF:FF:FF:FF:FF:FF …

  • 19

    Example of the attack

  • 20

    Impact of Port Security defense

    �Filtration is usually in HW without performance impact

    � If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong� It is better to configure less restrictive policy – only drop and inform

    the admin, but do not shut down the port

  • 21/

    ARP spoofing

  • 22

  • 23

    Normal behavior

    IP MAC

    C C

    IP MAC

    A A

  • 24

    ARP MitM

    IP MAC IP MAC

    IP MAC

    C C

    A A

  • 25

    ARP MitM : Cache poisoning ①

    IP MAC IP MAC

    IP MAC

    C C

    A A

    Sender HW addres: B

    Sender proto address: C

    Target HW address: A

    Target proto address A

  • 26

    ARP MitM : Cache poisoning ②

    IP MAC

    C B

    IP MAC

    IP MAC

    C C

    A A

  • 27

    ARP MitM : Cache poisoning ③

    IP MAC

    C B

    IP MAC

    IP MAC

    C C

    A A

    Sender HW addres: B

    Sender proto address: A

    Target HW address: C

    Target proto address C

  • 28

    ARP MitM : Cache poisoning ④

    IP MAC

    C B

    IP MAC

    A B

    IP MAC

    C C

    A A

  • 29

    ARP MitM : Forwarding ③

    IP MAC

    C B

    IP MAC

    A B

    IP MAC

    C C

    A A

  • 30

    Dynamic ARP Inspection

    �Port security cannot be used for mitigation� Does not look further than L2 header

    �DHCP snooping mechanism can be reused� DHCP snooping can create MAC-IP-Port binding

    �Dynamic ARP Inspection tests only ARP packets� Does not provent IP spoofing

    Switch# show ip source bindingMacAddress IpAddress Lease(sec) Type VLAN Interfa ce------------------ ------------ ---------- ----------- -- ---- ----------CC:CC:CC:CC:CC:CC 192.168.0.3 6522 dhcp-snooping 1 Fast Ethernet2/1

  • 31

    Dynamic ARP Inspection

    MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

    MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

    MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

    MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4

    ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: FF:FF:FF:FF:FF:FF ARP ReplySender MAC: CC:CC:CC:CC:CC:CCSender IP: 192.168.0.4Target MAC: AA:AA:AA:AA:AA:AATarget IP: 192.168.0.4

    Switch# show ip source bindingMacAddress IpAddress------------------ ------------CC:CC:CC:CC:CC:CC 192.168.0.3

  • 32/

    IPv6

  • 33

    IPv6

    �Different methods of autoconfiguration� Stateless address autoconfiguration

    � DHCPv6

    �A network interface can have several IPv6 addresses

  • 34

    Link local address

    RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1

    Neighbor Solicitation

    src: ::dst: ff02::1:ff21:ee49 (solicitated node)

    Target address: fe80::c9ee:98f6:d621:ee49

    A B

    LL: fe80:: c9ee:98f6:d621:ee49 [TENT]

  • 35

    MLD Report

    RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1

    Multicast Listener Report v2

    src: ::dst: ff02::16 (All MLDv2-capable routers)

    Hop-by-hop – Router Alert

    Changed to exclude: ff02::1:ff21:ee49

    A B

    LL: fe80::c9ee:98f6:d621:ee49 [TENT]

  • 36

    Global address

    RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1

    ALL: fe80::c9ee:98f6:d621:ee49

    B

    Router Solicitation

    src: fe80::c9ee:98f6:d621:ee49dst: ff02::2 (All Routers)

  • 37

    Global address

    RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1

    ALL: fe80::c9ee:98f6:d621:ee49GL: 2001:67c:1220:80e : d4a3:cd1b:bac:942b [TENT]

    B

    Router Advertisement

    src: fe80::204:96ff:fe1d:4e30dst: ff02::1 (All Nodes)M: 0O: 0

    Prefix InformationPrfLen: 64A: 1Prefix: 2001:67c:1220:80e ::

  • 38

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

  • 39

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    MLDv2MLDv2 G: ff02::1:ff4b:d6:e3

    G: ff02::1:ff4b:d6:e3

  • 40

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    DADDAD

  • 41

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    SLAACSLAAC

  • 42

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    DHCPv6DHCPv6

  • 43

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    MLDv2MLDv2 G: ff02::1:ffb0:5ec2

    G: ff02::1:ffb0:5ec2

  • 44

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    NDND

  • 45

    IPv6 address autoconfiguration

    �DAD, RS/RA, DHCPv6, MLDv2, ND

    TCP handshake

  • 46

    IPv6 L2, L3 security

    � Similar attacks as in IPv4 world with some exceptions� DAD, RA Flood, RA MitM

    � Port-security can be used for mitigation CAM overflow similar to IPv4

    � Three protocols must be secured (MLD, NDP, DHCPv6)

  • 47

    ND snooping

    � Switch creates binding between port-MAC-IPv6 address based on DAD process

    � Beware! � Different vendors have different behavior!� First come first serve approach!

    � Opens DoS attack vector – address is registred on an attacker

    Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created

    (truncated output)

    IPv6 address Link-Layer addr Interface vlan age state Time left

    ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 86999 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 85533 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 272 s

  • 48

    DHCPv6 Guard

    �Similar to DHCPv6 snooping feature� Based on assigned IPv6 address, switch creates and maintains

    binding table

    Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created

    (truncated output)

    IPv6 address Link-Layer addr Interface vlan age state Time left

    ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 869 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 855 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 172 sDH 2001:DB8::E1B9 28D2.4448.E276 Gi1/15 1 3m n REACHABLE 67 s

  • 49

    RA Guard

    �Protect against rogue RA messages – similar feature as DHCP snooping

  • 50/

    Summary

  • 51

    �Both IP protocols must be secured!

    �Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough!

    �To secure your network, you should at least configure:� DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND

    snooping, RA guard