Et4045-3-attacks-2
-
Upload
tutun-juhana -
Category
Internet
-
view
223 -
download
0
Transcript of Et4045-3-attacks-2
AT TAC K S# 2
A t t a c k s o n n e t w o r k
T U T U N J U H A N A T E L E C O M M U N I C A T I O N E N G I N E E R I N G
S C H O O L O F E L E C T R I C A L E N G I N E E R I N G & I N F O R M A T I C SI N S T I T U T T E K N O L O G I B A N D U N G
ET4045Telecommunication Network Security
7
Mitigation Protect the cables
Protect the switches and patch panels
Document the cable infrastructure
Investigate all outages
Inspect your cables and infrastructure regularly
Investigate undocumented hosts and connections
Sniffer
9
Hub is layer 1 device
It repeat any signal that comes in on one port and copy it to the other ports broadcasting
Network Sniffers10
Network Interface Cards (NICs) usually works in non-promiscuous mode Only accept the frame with destination MAC address the same with
its address
To tap the traffic, sniffer must use promiscuous NIC Accept all the frame received
Sniffers: tcpdump
Ethereal (wireshark) : http://softlayer.dl.sourceforge.net/project/wireshark/OldStable/Wireshark%201.0.9/wireshark-setup-1.0.9.exe
Snort
19
First we have a look at how a switch works
When first turned on, or not yet know destination MAC address, switch will perform frame flooding received frame will be forwarded to all of it’s port
http://www.firewall.cx/networking-topics/general-networking/236-switches-bridges.html
Node 1 send the frame to node 2 switch record the MAC address of node 1 into its MAC table (source MAC address learning) Flood the frame to all of its port (except node 1 port) Node 2 receive the frame (another node supposed to be dropping the frame) node 2 answer the frame switch records the MAC address of node 2 into the MAC table
22
Now let’s have a little ARP recaps
“ARP (Address Resolution Protocol) is used in obtaining IP to MAC address mapping “
25
A gratuitous ARP request is an Address Resolution Protocol request packet The source and destination IP are both set to the IP of the machine
issuing the packet
The destination MAC is the broadcast address ff:ff:ff:ff:ff:ff
Ordinarily, no reply packet will occur
26
Gratuitous ARPs are useful for four reasons: They can help detect IP conflicts When a machine receives an ARP
request containing a source IP that matches its own, then it knows there is an IP conflict.
They assist in the updating of other machines' ARP tables
They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts
If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces
27
To change the MAC address use locally administered MAC address
Locally administered addresses are useful when creating virtual machines or virtual network interfaces
29
MAC Address Flooding Frames with unique, invalid source MAC addresses flood the switch,
exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts
Traffic to valid hosts is subsequently flooded out all ports.
32
Please play with the nighthawk
https://code.google.com/p/nighthawk/downloads/detail?name=nighthawk-0.9.4-rc.zip&can=2&q=
Combine with your wireshark