Basic L2 and L3 security in Campus networks Matěj Grégr CNMS 2016 1/
Communication in v4 network Assigning v4 address using DHCPv4 Finding a MAC address of a default gateway Finding mapping between DNS name and address TCP connection HTTP request 2
DHCP Spoofing 3/
4
DHCP spoofing Steal an address of another device Forge DNS sever Forge default gateway Several softwares available Trojan.Flush.M, Trojan:W32/DNSChanger 5
DHCP spoofing DHCP Discover ETH: src mac: AA:AA:AA:AA:AA:AA dst mac: FF:FF:FF:FF:FF:FF (broadcast) src: 0.0.0.0 dst: 255.255.255.255 (broadcast) UDP src port 68 dst port 67 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Requests:, Router, DNS DHCP server MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: AA:AA:AA:AA:AA:AA :? MAC: BB:BB:BB:BB:BB:BB : 192.168.0.2 Attacker MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 6
DHCP spoofing DHCP Offer ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: AA:AA:AA:AA:AA:AA src: 192.168.0.254 dst: 192.168.0.4 UDP src port 67 dst port 68 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Client : 192.168.0.4 Router: 192.168.0.1 DNS: 8.8.8.8 DHCP Offer DHCP server MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: AA:AA:AA:AA:AA:AA :? ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: AA:AA:AA:AA:AA:AA src: 192.168.0.3 dst: 192.168.0.4 UDP src port 67, dst port 68 DHCP MAC: BB:BB:BB:BB:BB:BB Client MAC : 192.168.0.2 addr: AA:AA:AA:AA:AA:AA Client : 192.168.0.4 Router: 192.168.0.3 DNS: 192.168.0.3 Attacker MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 7
DHCP spoofing The attack can compromise only newly connecting clients Already connected clients renew address old DHCP server There are two variants of the attack: Attacker can exhaust address pool of DHCP server Attacker can try to answer quicker than DHCP server If a client assign an address from attacker s DHCP pool MitM attack all traffic flows through the attacker Attacker can forge only specific DNS addresses (harder to detect) 8
Defense: DHCP snooping DHCP Discover ETH: src mac: AA:AA:AA:AA:AA:AA dst mac: FF:FF:FF:FF:FF:FF (broadcast) src: 0.0.0.0 dst: 255.255.255.255 (broadcast) UDP src port 68 dst port 67 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Requests:, Router, DNS MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 MAC: AA:AA:AA:AA:AA:AA :? MAC: BB:BB:BB:BB:BB:BB : 192.168.0.2 9
Defense: DHCP spoofing DHCP Offer ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: AA:AA:AA:AA:AA:AA src: 192.168.0.254 dst: 192.168.0.4 UDP src port 67 dst port 68 DHCP Client MAC addr: AA:AA:AA:AA:AA:AA Client : 192.168.0.4 Router: 192.168.0.1 DNS: 8.8.8.8 DHCP Offer MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: AA:AA:AA:AA:AA:AA :? ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: AA:AA:AA:AA:AA:AA src: 192.168.0.3 dst: 192.168.0.4 UDP src port 67, dst port 68 DHCP MAC: BB:BB:BB:BB:BB:BB Client MAC : 192.168.0.2 addr: AA:AA:AA:AA:AA:AA Client : 192.168.0.4 Router: 192.168.0.3 DNS: 192.168.0.3 MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 10
DHCP snooping example configuration 11
CAM overflow 12/
13
CAM Overflow Attack Port MAC 2 W 2 X 2 Y 2 Z PC: A 1 3 PC: C 2 4 PC: B PC: D 14
CAM Overflow attack Port MAC 2 W 2 X 2 Y 2 Z PC: A 1 3 PC: C 2 4 A -> C? Don t know, can t insert! PC: B PC: D 15
CAM Table Implementation dependent Older records usually are not deleted Platform Size Cisco Catalyst 2950 8 000 Cisco Catalyst 3560 12 000 Cisco Catalyst 3750 12 000 Linksys SRW224 4 000 Module to Cisco Catalyst 6500 128 000 HP ProCurve 2610 8 000 HP ProCurve 1400 8 000 16
CAM overflow defese Port security Limited number of MAC addresses per port Switch# show port-security interface fa 0/1 Violation Mode :Shutdown Maximum MAC addresses :2 Switch# show port-security interface fa 0/1 addr Vlan Mac Address Type Ports ----- ------------- ------------ ----- 1 CC:CC:CC:CC:CC:CC SecureSticky FastEthernet0/1 17
CAM overflow defese Port security MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: AA:AA:AA:AA:AA:AA : 192.168.0.4 ETH: src mac: DD:DD:DD:DD:DD:DD dst mac: FF:FF:FF:FF:FF:FF MAC: BB:BB:BB:BB:BB:BB : 192.168.0.2 MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 18
Example of the attack 19
Impact of Port Security defense Filtration is usually in HW without performance impact If security policy is SHUTDOWN, user losses connection and admin cannot send him information what is wrong It is better to configure less restrictive policy only drop and inform the admin, but do not shut down the port 20
ARP spoofing 21/
22
Normal behavior MAC MAC C C A A 23
ARP MitM MAC MAC C A MAC C A 24
ARP MitM: Cache poisoning 1 MAC Sender HW addres: B MAC Sender proto address: C Target HW address: A Target proto address A C A MAC C A 25
ARP MitM: Cache poisoning 2 MAC MAC C B C A MAC C A 26
ARP MitM: Cache poisoning 3 MAC Sender HW addres: B MAC C B Sender proto address: A Target HW address: C Target proto address C C A MAC C A 27
ARP MitM: Cache poisoning 4 MAC MAC C B A B C A MAC C A 28
ARP MitM: Forwarding 3 MAC MAC C B A B C A MAC C A 29
Dynamic ARP Inspection Port security cannot be used for mitigation Does not look further than L2 header DHCP snooping mechanism can be reused DHCP snooping can create MAC--Port binding Dynamic ARP Inspection tests only ARP packets Does not provent spoofing Switch# show ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ ------------ ---------- ------------- ---- ---------- CC:CC:CC:CC:CC:CC 192.168.0.3 6522 dhcp-snooping 1 FastEthernet2/1 30
Dynamic ARP Inspection Switch# show ip source binding MacAddress IpAddress ------------------ ------------ CC:CC:CC:CC:CC:CC 192.168.0.3 MAC: DD:DD:DD:DD:DD:DD : 192.168.0.254 MAC: AA:AA:AA:AA:AA:AA : 192.168.0.4 ETH: src mac: CC:CC:CC:CC:CC:CC dst mac: FF:FF:FF:FF:FF:FF ARP Reply Sender MAC: CC:CC:CC:CC:CC:CC Sender : 192.168.0.4 Target MAC: AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB Target : 192.168.0.2 192.168.0.4 MAC: CC:CC:CC:CC:CC:CC : 192.168.0.3 31
v6 32/
v6 Different methods of autoconfiguration Stateless address autoconfiguration DHCPv6 A network interface can have several v6 addresses 33
Link local address Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Neighbor Solicitation src: :: dst: ff02::1:ff21:ee49 (solicitated node) Target address: fe80::c9ee:98f6:d621:ee49 A LL: fe80::c9ee:98f6:d621:ee49 [TENT] B 34
MLD Report Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Multicast Listener Report v2 src: :: dst: ff02::16 (All MLDv2-capable routers) Hop-by-hop Router Alert Changed to exclude: ff02::1:ff21:ee49 A LL: fe80::c9ee:98f6:d621:ee49 [TENT] B 35
Global address Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Router Solicitation src: fe80::c9ee:98f6:d621:ee49 dst: ff02::2 (All Routers) A LL: fe80::c9ee:98f6:d621:ee49 B 36
Global address Router Advertisement src: fe80::204:96ff:fe1d:4e30 dst: ff02::1 (All Nodes) M: 0 O: 0 Router LL: fe80::204:96ff:fe1d:4e30 GL: 2001:67c:1220:80e::1 Prefix Information PrfLen: 64 A: 1 Prefix: 2001:67c:1220:80e:: A LL: fe80::c9ee:98f6:d621:ee49 GL: 2001:67c:1220:80e:d4a3:cd1b:bac:942b [TENT] B 37
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND 38
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND MLDv2 G: ff02::1:ff4b:d6:e3 G: ff02::1:ff4b:d6:e3 39
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND DAD 40
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND SLAAC 41
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND DHCPv6 42
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND MLDv2 G: ff02::1:ffb0:5ec2 G: ff02::1:ffb0:5ec2 43
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND ND 44
v6 address autoconfiguration DAD, RS/RA, DHCPv6, MLDv2, ND TCP handshake 45
v6 L2, L3 security Similar attacks as in v4 world with some exceptions DAD, RA Flood, RA MitM Port-security can be used for mitigation CAM overflow similar to v4 Three protocols must be secured (MLD, NDP, DHCPv6) 46
ND snooping Switch creates binding between port-mac-v6 address based on DAD process Switch#show ipv6 neighbors binding Binding Table has 4 entries, 4 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created (truncated output) v6 address Link-Layer addr Interface vlan age state Time left ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/15 1 3mn REACHABLE 94 s ND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/2 1 26mn STALE 86999 s ND FE80::10 38EA.A785.C926 Gi1/2 1 26mn STALE 85533 s ND FE80::1 E4C7.228B.F180 Gi1/7 1 35s REACHABLE 272 s Beware! Different vendors have different behavior! First come first serve approach! Opens DoS attack vector address is registred on an attacker 47
DHCPv6 Guard Similar to DHCPv6 snooping feature Based on assigned v6 address, switch creates and maintains binding table Switch#show ipv6 neighbors binding Binding Table has 4 entries, 4 dynamic Codes: L - Local, S - Static, ND - Neighbor Discovery, DH - DHCP, PKT - Other Packet, API - API created (truncated output) v6 address Link-Layer addr Interface vlan age state Time left ND FE80::81E2:1562:E5A0:43EE 28D2.4448.E276 Gi1/15 1 3mn REACHABLE 94 s ND FE80::3AEA:A7FF:FE85:C926 38EA.A785.C926 Gi1/2 1 26mn STALE 869 s ND FE80::10 38EA.A785.C926 Gi1/2 1 26mn STALE 855 s ND FE80::1 E4C7.228B.F180 Gi1/7 1 35s REACHABLE 172 s DH 2001:DB8::E1B9 28D2.4448.E276 Gi1/15 1 3mn REACHABLE 67 s 48
RA Guard Protect against rogue RA messages similar feature as DHCP snooping 49
Summary 50/
Both protocols must be secured! Hardware and software have limitations! You have to do your due diligence. Skim-read the vendor PDF is not enough! To secure your network, you should at least configure: DHCP snooping, ARP inspection, Port security, DHCPv6 guard, ND snooping, RA guard 51