VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

Similar documents
Ronny L. Bull & Dr. Jeanna Matthews. DerbyCon 4.0. Sept 27th, 2014

CLARKSON UNIVERSITY. A Doctoral Dissertation. Ronny L. Bull. Department of Computer Science. Submitted in partial fulfillment of the requirements

CCNP Switch Questions/Answers Securing Campus Infrastructure

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Critical Analysis of Layer 2 Network Security in Virtualized Environments. Ronny L. Bull and Jeanna N. Matthews

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

A Framework for Optimizing IP over Ethernet Naming System

Configuring Dynamic ARP Inspection

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

CIS 5373 Systems Security

VLANs Level 3 Unit 9 Computer Networks

Switching & ARP Week 3

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

AN INTRODUCTION TO ARP SPOOFING

Configuring Dynamic ARP Inspection

Switched environments security... A fairy tale.

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Understanding and Configuring Dynamic ARP Inspection

CHAPTER 1: VLANS. Routing & Switching

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Reference Architecture. DataStream. Architecting DataStream Network. Document # NA Version 1.03, January

Cisco Networking Academy CCNP

Chapter 2. Switch Concepts and Configuration. Part II

Preview Test: cis191_chap1_quiz

2. What is a characteristic of a contention-based access method?

Wireless LAN Security (RM12/2002)

Network Security. Thierry Sans

Configuring ARP attack protection 1

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

ARP Inspection and the MAC Address Table

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Chapter 3. Virtual Local Area Networks (VLANs) Part II

Case Studies, Lessons Learned. Ing. Tijl Deneut Lecturer Applied Computer Sciences Howest Researcher XiaK, Ghent University

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

Building Cisco Multilayer Switched Networks (BCMSN)

Expert Reference Series of White Papers. Securing Layer 2

Chapter 3: VLANs. Routing & Switching

Introduction to Switched Networks Routing And Switching

A Study of Two Different Attacks to IPv6 Network

Wireless Network Security

1. Which two statements are true about VLAN implementation? (Choose two.)

VLAN Hopping Attack. Haboob Team

Chapter 5. Security Components and Considerations.

CCNP SWITCH (22 Hours)

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

Chapter 11: It s a Network. Introduction to Networking

2. Network Infrastructure Security -- Switching

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

PROTECTING INFORMATION ASSETS NETWORK SECURITY

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

UC Voice Application Connectivity in a VMware UCS Environment

Chapter 11: Networks

ARP SPOOFING Attack in Real Time Environment

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Development of IDS for Detecting ARP Attack using DES Model

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

Catalyst 1900 Series and Catalyst 2820 Series Enterprise Edition Software Configuration Guide

Cisco Virtual Networking Solution for OpenStack

Hypervisors networking: best practices for interconnecting with Cisco switches

1 TABLE OF CONTENTS UNCLASSIFIED//LES

Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0

Cisco Exploration 3 Module 3 LAN Switching and Wireless Jim Johnston Class Notes September 9, 2008

: Building Cisco Multilayer Switched Networks

ICS 451: Today's plan

IPv6 migration challenges and Security

CRS328 as a Layer 2 Switch UK MUM 2018

SWITCH Implementing Cisco IP Switched Networks

Implementing Cisco IP Switched Networks (SWITCH)

VLANs. CCNA Exploration Semester 3 Chapter Sep-13

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Configuring EtherChannels and Link-State Tracking

Towards Layer 2 Authentication: Preventing Attacks based on Address Resolution Protocol Spoofing

Configuring ARP attack protection 1

VXLAN Overview: Cisco Nexus 9000 Series Switches

Analysis on new possibility security threads in IEEE 802.1CQ

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

Network+ Guide to Networks 7 th Edition

Understanding Switch Security

IEEE MACSec and NSA ESS: How to Protect Your WAN, LAN and Cloud

CIT 380: Securing Computer Systems. Network Security Concepts

Address Resolution Protocol (ARP), RFC 826

Configuring EtherChannels and Layer 2 Trunk Failover

CS Paul Krzyzanowski

CS 458 Internet Engineering Spring First Exam

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Configuring EtherChannels and Layer 2 Trunk Failover

Transcription:

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments Dr. Ronny L. Bull, Ph.D. Utica College Nexus Seminar Series Nov 10th 2017

About Me Ph.D. in Computer Science from Clarkson University Assistant Professor of Computer Science at Utica College Co-Founder and member of the Board of Directors for the Central New York Hackathon, a biannual inter-collegiate cybersecurity competition. Specializing in networking, network security, systems administration, information security, virtualization, Linux/Unix, IoT, and voice over IP technologies. http://cnyhackathon.org Owner & Principal Consultant of Adirondack IT Solutions, LLC. http://www.adirondackitsolutions.com

Publication History of this Research DerbyCon 4.0 (Sept. 2014) MAC Flooding attack results presented Open vswitch Patch Released (Feb. 2015) that addressed the MAC flooding vulnerability that I reported at DerbyCon. BsidesRoc (April 2015) DHCP attack scenario results presented DEF CON 23 (Aug. 2015) MAC Flooding and DHCP attack results presented in full DEF CON 24 (Aug. 2016) VLAN Hopping, ARP attacks, and updated MAC flooding performance results presented International Journal of Communication Networks and Distributed Systems Vol. 17 No. 3. (Sept. 2016) Journal article detailing MAC flooding and DHCP attack scenarios and results. Doctoral Dissertation (successfully defended on 9/29/2016) HackCon#12 Norway (Feb. 15th 2017) (VLAN Hopping & ARP Attacks) ANYCon 2017 (June 17th, 2017) MiTM Attacks in Virtualized Environments

Road Map Context for the Problem of Layer 2 Network Security in Virtualized Environments Test platforms Virtualization, Multi-tenant environments, Cloud services Array of virtual networking implementations tested Specific attacks and results VLAN Hopping ARP Poisoning & Man-in-the-Middle Attacks Conclusions

Key Question All client virtual machines hosted in a multi-tenant environment are essentially connected to a virtual version of a physical networking device. So do Layer 2 network attacks that typically work on physical devices apply to their virtualized counterparts? Important question to explore: All cloud services that rely on virtualized environments could be vulnerable This includes data centers hosting mission critical or sensitive data! Not the only class of attacks from co-located VMs Old lesson: vulnerable to those close to you

What If?

Bottom Line This research proves that virtualized network devices DO have the potential to be exploited in the same manner as physical devices. In fact some of these environments allow the attack to leave the virtualized network and affect the physical networks that they are connected to!

Consequences So what if a malicious tenant successfully launches a Layer 2 network attack within a multi-tenant environment? Capture all network traffic Redirect traffic Perform Man-in-the-Middle attacks Denial of Service Gain unauthorized access to restricted sub-networks Affect performance

Test Scenarios & Results VLAN Hopping Attack Scenario Descriptions Summary of Results ARP Poisoning Man-In-The-Middle Attacks Summary of Results

Old Test Environment 2012-2015 Built from what we could salvage (RIP you served us well!)

Old Hardware Specs

New Environment (After 30K of funding in 2015 Thanks UC!)

New Hardware Specs Identical Systems: 1U SuperMicro server system CPU: Intel Xeon X3-1240V3 Quad Core w/ Hyper-Threading RAM: 32GB Hard Drive: 500GB WD Enterprise 7200RPM SATA 4 on-board Intel Gigabit network interface cards

VLAN Hopping

VLAN Hopping Attacks Attack used to gain unauthorized access to another Virtual LAN on a packet switched network Attacker sends frames from one VLAN to another that would otherwise be inaccessible Two methods: Switch Spoofing Cisco proprietary Double Tagging Exploitation of 802.1Q standard

Virtual LAN Tag Ethernet frames are modified for VLAN traffic: Addition of a 802.1q VLAN header 32 bits of extra information wedged in 4 Bytes Dst MAC Src MAC TPID 0x8100 2 Bytes 802.1q Type/Len VLAN Tag TPI (3 bits) DEI (1 bit) Data VID (12 bits) 2 Bytes FCS

Switch Spoofing CVE-2005-1942 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2005-1942 Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages.

Switch Spoofing Cisco Discovery Protocol Cisco proprietary Layer 2 protocol Allows connected Cisco devices to share information Operating system IP address Routing information Duplex settings VTP domain VLAN information

Switch Spoofing CVE-1999-1129 http://www.cvedetails.com/cve/cve-1999-1129/ Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag. And directly from Cisco: DTP: Dynamic Trunking protocol. "If a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN" (Cisco). DTP Auto is the default setting on most Cisco switches!

Switch Spoofing Dynamic Trunking Protocol Cisco proprietary Layer 2 protocol Allows automatic configuration of trunk ports on Cisco switches Automatically configures VLAN trunking for all supported VLANs Provides ability to negotiate the trunking method with neighbor devices Pair this with CDP and your Cisco devices can pretty much configure themselves (not very securely!)

Switch Spoofing Consequences Attacker's system has a trunk connection to the switch Attacker can generate frames for any VLAN supported by the trunk connection Attacker can communicate with any device on any of the associated VLANs Two-way communication can occur between the attacker and a targeted node because the attacker can actually place themselves on the VLAN Also allows attacker to eavesdrop on the traffic within a target VLAN

Switch Spoofing Demo (VMWare ESXi 6.0) https://www.youtube.com/watch?v=mmgezerlg9c&feature=youtu.be&t=20s

Switch Spoofing Results

Switch Spoofing Mitigation Disable unused switch ports Disable CDP and DTP Or use on an as need, per port basis! Restrict the amount of trunk ports Should only be configured when connecting devices require it (ie. other switches) Limit VLAN access on trunk ports to only what the connected segments require Configure all other ports as access ports (no trunking) with no access to the native VLAN

Double Tagging CVE-2005-4440 http://www.cvedetails.com/cve/cve-2005-4440/ The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream switch after the first tag has been stripped. A.K.A: Double-Tagging VLAN jumping attack

802.1Q Tagging

802.1Q Tagging

Double Tagging Dst MAC Src MAC Type/Len Data FCS Standard 802.3 Ethernet Frame 4 Bytes Dst MAC Src MAC 802.1q Type/Len VLAN Tag Data FCS 802.3 Ethernet Frame Tagged with 4 Byte 802.1q header 4 Bytes Dst MAC Src MAC 4 Bytes 802.1q 802.1q Type/Len VLAN Tag VLAN Tag Data FCS 802.3 Ethernet Frame Tagged with multiple 4 Byte 802.1q headers

Double Tagging

Double Tagging

Double Tagging Consequences Attacker can send packets to a target VLAN Targeted system cannot respond back Attacking system is on the native VLAN Target is on an access VLAN isolated from the native VLAN broadcast domain Not a good attack for eavesdropping Excellent method for DoS attacks Can be used as one way covert channels

Double-Tagging Demo (Two Physical Switches) https://www.youtube.com/watch?v=v2ht-gb4nbe&feature=youtu.be&t=45s Physical Attacker, 2 Physical Cisco 2950 Switches, ProxMox Target

Double-Tagging Demo (Two Virtual Switches w/ a Cisco 2950 in the Middle) https://www.youtube.com/watch?v=jjdbjroukio&feature=youtu.be&t=45s Attacker: XenServer VM Target: ProxMox

Double-Tagging Demo (One Physical Switch) https://www.youtube.com/watch?v=np46kuxpk9c&feature=youtu.be&t=35s Attacker: Physical Kali Target: MS HyperV Guest via Cisco Nexus 1000v

Double Tagging Results

Double Tagging Mitigation Techniques Do not assign any hosts to VLAN 1 (native VLAN) If necessary significantly limit access Disable VLAN 1 on unnecessary ports Change native VLAN on all trunk ports to something different than VLAN 1 Restrict access to switches by MAC address Can spoof MAC addresses to get around this Heart of this attack is having access to the native VLAN! This is the default VLAN for all ports on a switch!

ARP Spoofing

Address Resolution Protocol Layer 2 network protocol used to map physical MAC addresses to logical IP addresses within a broadcast domain Each system on the network maintains an 'ARP Cache' Stores address translation information for 'discovered nodes' on the network ARP caches will differ between inter-networked systems not every node needs to communicate with every other node Common entries that are generally seen in the 'ARP cache' Default Gateway Local DNS servers

ARP Process Simple process to discover the Layer 3 address of another node within the Layer 2 broadcast domain Initiating system sends a broadcast request to the entire Layer 2 network: Who has '192.168.1.10' tell '192.168.1.3' The node at '192.168.1.10' sees the broadcast and replies with its Layer 2 MAC address '192.168.1.10' is at 'ec:1b:d7:66:02:51' The initiating system then stores the translation of 'ec:1b:d7:66:02:51' to '192.168.1.10' in its ARP Cache so that it does not need to repeat the discovery process again

ARP Spoofing Normal Traffic Flow Target Virtual Machine Router / Default Gateway Virtual Machine Physical Server NIC Virtual Switch

ARP Spoofing Man-In-The-Middle Attack Router / Default Gateway Virtual Machine Target Virtual Machine Virtual Switch Attacker Virtual Machine https://www.youtube.com/watch?v=1h-pbtktcwi&feature=youtu.be&t=1m45s Attacker: Physical Kali Target: VMWare ESXi 6.0 VM Physical Server NIC

ARP Spoofing Results

ARP Spoofing Mitigation Cisco switches can make use of DHCP snooping and Dynamic ARP inspection Validate ARP requests to verify authenticity Feature not supported on any virtual switches except the non-free version of the Cisco Nexus 1000v arpwatch Linux utility developed at the Lawrence Berkeley National Laboratory Runs as a service on a Linux system and monitors the network for changes in ARP activity

Conclusion: Virtual vs Physical? Results show that virtual networking devices can pose the same or even greater risks than their physical counterparts Which systems were vulnerable varied widely across the tests no one best system Lack of sophisticated Layer 2 security controls similar to what is available on enterprise grade physical switches greatly increases the difficulty in securing virtual switches against these attacks

Bottom-line impact A single malicious virtual machine has the potential to sniff all traffic passing over a virtual switch This can pass through the virtual switch and affect physically connected devices allowing traffic from other parts of the network to be sniffed as well! Significant threat to the confidentiality, integrity, and availability (CIA) of data passing over a network in a virtualized muli-tenant environment

What can users do? Educated users can question their hosting providers Which virtual switch implementations being used? To which attacks vulnerable? Audit the risk of workloads they run in the cloud or within multitenant virtualized environments Consider/request extra security measures on their own and from hosting provider Increased use of encryption Service monitoring Threat detection and alerting

Email: rlbull@utica.edu bullrl@clarkson.edu ronny.bull@adirondackitsolutions.com Twitter: @Dr_RonnyBull Links to all publications, presentations, and demo videos related to this research can also be found at http://ronnybull.com Special thanks to Dr. Jeanna Matthews, and all of my students that assisted with this research over the past four years!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback