Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...

1/

Basic L2 and L3 security in Campus networks

Matěj Grégr

CNMS 2016

2

Communication in IPv4 network

�Assigning IPv4 address using DHCPv4

�Finding a MAC address of a default gateway

�Finding mapping between DNS name and IP address

�TCP connection

�HTTP request

3/

DHCP Spoofing

5

DHCP spoofing

�Steal an IP address of another device

�Forge DNS sever

�Forge default gateway

�Several softwares „available“� Trojan.Flush.M ,

� Trojan:W32/DNSChanger

6

DHCP spoofing

DHCP Discover

ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …

MAC: DD:DD:DD:DD:DD:DDIP: 192.168.0.254

MAC: CC:CC:CC:CC:CC:CCIP: 192.168.0.3

MAC: BB:BB:BB:BB:BB:BBIP: 192.168.0.2

MAC: AA:AA:AA:AA:AA:AAIP: ?

DHCP server

Attacker

7

DHCP spoofingDHCP Offer

ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8





DHCP Offer

ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3

Attacker

DHCP server

8

DHCP spoofing

�The attack can compromise only newly connecting clients� Already connected clients renew address old DHCP server

�There are two variants of the attack:� Attacker can exhaust address pool of DHCP server

� Attacker can try to answer quicker than DHCP server

� If a client assign an address from attacker’s DHCP pool� MitM attack – all traffic flows through the attacker

� Attacker can forge only specific DNS addresses (harder to detect)

9

Defense: DHCP snooping

DHCP Discover

ETH:src mac: AA:AA:AA:AA:AA:AAdst mac: FF:FF:FF:FF:FF:FF (broadcast)IPsrc: 0.0.0.0dst: 255.255.255.255 (broadcast)UDPsrc port 68dst port 67DHCPClient MAC addr: AA:AA:AA:AA:AA:AARequests: IP, Router, DNS …





10

Defense: DHCP spoofingDHCP Offer

ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.254dst: 192.168.0.4UDPsrc port 67dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.1DNS: 8.8.8.8





DHCP Offer

ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: AA:AA:AA:AA:AA:AA IPsrc: 192.168.0.3dst: 192.168.0.4UDPsrc port 67, dst port 68DHCPClient MAC addr: AA:AA:AA:AA:AA:AAClient IP: 192.168.0.4Router: 192.168.0.3DNS: 192.168.0.3

11

DHCP snooping example configuration

12/

CAM overflow

14

CAM Overflow Attack

Port MAC

2 W

2 X

2 Y

2 Z

1

2 4

3PC: A

PC: B

PC: C

PC: D

15

CAM Overflow attack

Port MAC

2 W

2 X

2 Y

2 Z

1

2 4

3PC: A

PC: B

PC: C

PC: D

A -> C?Don‘t know, can‘t insert!

16

CAM Table

� Implementation dependent� Older records usually are not deleted

Platform Size

Cisco Catalyst 2950 8 000



Linksys SRW224 4 000

Module to Cisco Catalyst 6500 128 000

HP ProCurve 2610 8 000

HP ProCurve 1400 8 000

17

CAM overflow defese – Port security

�Limited number of MAC addresses per port

Switch# show port-security interface fa 0/1Violation Mode :ShutdownMaximum MAC addresses :2…

Switch# show port-security interface fa 0/1 addrVlan Mac Address Type Ports----- ------------- ------------ -----1 CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1

18

CAM overflow defese – Port security




MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4

ETH:src mac: DD:DD:DD:DD:DD:DDdst mac: FF:FF:FF:FF:FF:FF …

19

Example of the attack

20

Impact of Port Security defense

�Filtration is usually in HW without performance impact

� If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong� It is better to configure less restrictive policy – only drop and inform

the admin, but do not shut down the port

21/

ARP spoofing

23

Normal behavior

IP MAC

C C

IP MAC

A A

24

ARP MitM

IP MAC IP MAC

IP MAC

C C

A A

25

ARP MitM : Cache poisoning ①

IP MAC IP MAC

IP MAC

C C

A A

Sender HW addres: B

Sender proto address: C

Target HW address: A

Target proto address A

26

ARP MitM : Cache poisoning ②

IP MAC

C B

IP MAC

IP MAC

C C

A A

27

ARP MitM : Cache poisoning ③

IP MAC

C B

IP MAC

IP MAC

C C

A A

Sender HW addres: B

Sender proto address: A

Target HW address: C

Target proto address C

28

ARP MitM : Cache poisoning ④

IP MAC

C B

IP MAC

A B

IP MAC

C C

A A

29

ARP MitM : Forwarding ③

IP MAC

C B

IP MAC

A B

IP MAC

C C

A A

30

Dynamic ARP Inspection

�Port security cannot be used for mitigation� Does not look further than L2 header

�DHCP snooping mechanism can be reused� DHCP snooping can create MAC-IP-Port binding

�Dynamic ARP Inspection tests only ARP packets� Does not provent IP spoofing

Switch# show ip source bindingMacAddress IpAddress Lease(sec) Type VLAN Interfa ce------------------ ------------ ---------- ----------- -- ---- ----------CC:CC:CC:CC:CC:CC 192.168.0.3 6522 dhcp-snooping 1 Fast Ethernet2/1

31

Dynamic ARP Inspection




MAC: AA:AA:AA:AA:AA:AAIP: 192.168.0.4

ETH:src mac: CC:CC:CC:CC:CC:CCdst mac: FF:FF:FF:FF:FF:FF ARP ReplySender MAC: CC:CC:CC:CC:CC:CCSender IP: 192.168.0.4Target MAC: AA:AA:AA:AA:AA:AATarget IP: 192.168.0.4

Switch# show ip source bindingMacAddress IpAddress------------------ ------------CC:CC:CC:CC:CC:CC 192.168.0.3

32/

IPv6

33

IPv6

�Different methods of autoconfiguration� Stateless address autoconfiguration

� DHCPv6

�A network interface can have several IPv6 addresses

34

Link local address

RouterLL: fe80::204:96ff:fe1d:4e30GL: 2001:67c:1220:80e::1

Neighbor Solicitation

src: ::dst: ff02::1:ff21:ee49 (solicitated node)

Target address: fe80::c9ee:98f6:d621:ee49

A B

LL: fe80:: c9ee:98f6:d621:ee49 [TENT]

35

MLD Report


Multicast Listener Report v2

src: ::dst: ff02::16 (All MLDv2-capable routers)

Hop-by-hop – Router Alert

Changed to exclude: ff02::1:ff21:ee49

A B

LL: fe80::c9ee:98f6:d621:ee49 [TENT]

36

Global address


ALL: fe80::c9ee:98f6:d621:ee49

B

Router Solicitation

src: fe80::c9ee:98f6:d621:ee49dst: ff02::2 (All Routers)

37

Global address


ALL: fe80::c9ee:98f6:d621:ee49GL: 2001:67c:1220:80e : d4a3:cd1b:bac:942b [TENT]

B

Router Advertisement

src: fe80::204:96ff:fe1d:4e30dst: ff02::1 (All Nodes)M: 0O: 0

Prefix InformationPrfLen: 64A: 1Prefix: 2001:67c:1220:80e ::

38

IPv6 address autoconfiguration

�DAD, RS/RA, DHCPv6, MLDv2, ND

39



MLDv2MLDv2 G: ff02::1:ff4b:d6:e3

G: ff02::1:ff4b:d6:e3

40



DADDAD

41



SLAACSLAAC

42



DHCPv6DHCPv6

43



MLDv2MLDv2 G: ff02::1:ffb0:5ec2

G: ff02::1:ffb0:5ec2

44



NDND

45



TCP handshake

46

IPv6 L2, L3 security

� Similar attacks as in IPv4 world with some exceptions� DAD, RA Flood, RA MitM

� Port-security can be used for mitigation CAM overflow similar to IPv4

� Three protocols must be secured (MLD, NDP, DHCPv6)

47

ND snooping

� Switch creates binding between port-MAC-IPv6 address based on DAD process

� Beware! � Different vendors have different behavior!� First come first serve approach!

� Opens DoS attack vector – address is registred on an attacker

Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created

(truncated output)

IPv6 address Link-Layer addr Interface vlan age state Time left

ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 86999 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 85533 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 272 s

48

DHCPv6 Guard

�Similar to DHCPv6 snooping feature� Based on assigned IPv6 address, switch creates and maintains

binding table

Switch#show ipv6 neighbors bindingBinding Table has 4 entries, 4 dynamicCodes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API -API created

(truncated output)

IPv6 address Link-Layer addr Interface vlan age state Time left

ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/ 15 1 3mn REACHABLE 94 sND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/ 2 1 26mn STALE 869 sND FE80::10 38EA.A785.C926 Gi1/ 2 1 26mn STALE 855 sND FE80::1 E4C7.228B.F180 Gi1/ 7 1 35s REACHABLE 172 sDH 2001:DB8::E1B9 28D2.4448.E276 Gi1/15 1 3m n REACHABLE 67 s

49

RA Guard

�Protect against rogue RA messages – similar feature as DHCP snooping

50/

Summary

51

�Both IP protocols must be secured!

�Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough!

�To secure your network, you should at least configure:� DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND

snooping, RA guard

Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...

Documents

Transcript of Basic L2 and L3 security in Campus networks · 5 DHCP spoofing Steal an IP address of another...