ISMT College, profile picture
Uploaded byISMT College
PPTX, PDF298 views

Attack.pptx

The document discusses the MAC address flooding attack, a method where an attacker floods a switch's MAC address table with fake addresses, causing it to fail-open and behave like a hub, allowing the attacker to capture sensitive data. It highlights prevention techniques using Cisco's port security feature, detailing its configuration and actions on violations, as well as other attacks such as DHCP starvation and ARP spoofing, alongside preventive measures like DHCP snooping and dynamic ARP inspection. The text serves as an instructional guide on network security practices to mitigate such vulnerabilities.

Embed presentation

Download to read offline
Attacks Prepared by: Roshan Kandel Masters in Information & Communication Engineering 1
Introduction • MAC address flooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address. • This type of attack is also known as CAM table overflow attack. • Within a very short time, the switch's MAC Address table is full with fake MAC address/port mappings. • Switch's MAC address table has only a limited amount of memory. • The switch can not save any more MAC address in its MAC Address table. 2
Following images shows a Switch's MAC address table before and after flooding attack. 3
• Once the switch's MAC address table is full and it can not save any more MAC address, its enters into a fail-open mode and start behaving like a network Hub. • Frames are flooded to all ports, similar to broadcast type of communication. • Now, what is the benefit of the attacker? • The attacker's machine will be delivered with all the frames between the victim and another machines. • The attacker will be able to capture sensitive data from network. 4
How to prevent MAC flooding attacks? • Cisco switches are packed with in-built security feature against MAC flooding attacks, called as Port Security. • Port Security is a feature of Cisco Switches, which give protection against MAC flooding attacks. 5
How to prevent MAC flooding attacks by configuring switchport port-security 6
Introduction • MAC address flooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address. • MAC flooding attack can soon drain the memory resources allocated for MAC address table and later the switch will start behaving like a network Hub. • Port Security feature can protect the switch from MAC flooding attacks. 7
• Port security feature can also protect the switch from DHCP starvation attacks, where a client start flooding the network with very large number of DHCP requests, each using a different source MAC address. • DHCP starvation attacks can result in depletion of available IP addresses in DHCP Server scope. • Port security feature is meant for access ports and it will not work on trunk ports, Ether-channel ports or SPAN (Switch Port Analyzer) ports. 8
Concepts of Port Security • The goal of Port Security is to prevent a network attacker from sending large number of Ethernet Frames with forged fake source MAC addresses to a Switch interface. • This goal is achieved by the following settings, which are related with a switch interface. • 1) Enable Port Security Feature. Port security is disabled by default. "switchport port-security" (at interface configuration mode) command can be used to enables Port Security. • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#switchport port-security 9
• 2) Specify a maximum number of MAC addresses allowed on that interface. Remember, it is possible that more that one genuine devices are connected to a switch interface (Example: a phone and a computer). • SW1(config-if)#switchport port-security maximum ? • <1-4097> Maximum addresses 10
• 3) Define the MAC Addresses of known devices, which are going to access the network via that interface. We can do this by either hardcoding the MAC addresses of known devices (statically define the known MAC addresses) or configure "sticky" MAC Address. • Sticky MAC addresses ("switchport port-security mac-address sticky") will allow us to enter dynamically learned MAC addresses to running config. • The default number of known secure MAC addresses is one. • SW1(config-if)#switchport port-security mac-address ? • H.H.H 48 bit mac address • sticky Configure dynamic secure addresses as sticky 11
• 4) Specify an action to do when a violation occurred on above conditions. • When a violation occurs in switch Port Security, Cisco switches can be configured to act in one of the three options explained below. • Protect: When "protect" option is configured and a violation occurred in switch port security, a switch interface drops frames with an unknown source MAC address after the switch port reaches maximum number of allowed MAC addresses. Frames with known source MAC addresses are allowed. No SNMP trap and a syslog message are generated. The "protect" option is the lowest port security option available. 12
• Restrict: When "restrict" option is configured and a violation occurred in switch port security, a switch interface drops frames with an unknown source MAC address after the switch port reaches maximum number of allowed MAC addresses. The restrict option also sends an SNMP trap and a syslog message and increments a violation counter when a port security violation occurs. Shutdown option sends an SNMP trap and a syslog message also. It also increments a violation counter. 13
• Shutdown: When "shutdown" option is configured and a violation occurred in switch port security, the interface is shut down. Shutdown option sends an SNMP trap and a syslog message also. It also increments a violation counter. Therefore, when a port security violation occurs, the interface is shutdown and no traffic is allowed on that interface. The "shutdown" option is the highest port security option available. • The default violation action is to shut down the port. • SW1(config-if)#switchport port-security violation protect/restrict/shutdown 14
• How to view the Port Security related settings of an interface • SW1#show port-security interface gigabitethernet 0/0 • How to view the secure known MAC addresses configured for Port Security • SW1#show port-security address 15
How to enable back an interface, after a Port Security violation related shutdown (Errdisable state) • Once a Port Security violation happened, the interface is shut down and it is in a state called as Errdisable state. Use any of the following methods to bring the interface up after a Port Security violation related shutdown. • One method to enable back an interface, after a Port Security violation related shutdown (Errdisable state) is to bring the interface down and again up by issuing the commands "shutdown" and "no shutdown". 16
• SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#shutdown • SW1(config-if)#no shutdown • SW1(config-if)#exit • SW1(config)#exit • SW1# 17
DHCP Starvation attacks and DHCP spoofing attacks 18
What is DHCP starvation attack? • Another type of network attack which is targeted to DHCP servers is known as DHCP starvation attack. • In a DHCP starvation attack, an attacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC addresses. • If the legitimate DHCP Server in the network start responding to all these bogus DHCP REQUEST messages, available IP Addresses in the DHCP server scope will be depleted within a very short span of time. 19
20
• Once the available number of IP Addresses in the DHCP server is depleted, network attackers can then set up a rogue DHCP server and respond to new DHCP requests from network DHCP clients. • By setting up a rogue DHCP server, the attacker can now launch DHCP spoofing attack. 21
What is DHCP spoofing attack? • After a DHCP starvation attack and setting up a rogue DHCP server, the attacker can start distributing IP addresses and other TCP/IP configuration settings to the network DHCP clients. • TCP/IP configuration settings include Default Gateway and DNS Server IP addresses. • Network attackers can now replace the original legitimate Default Gateway IP Address and DNS Server IP Address with their own IP Address. 22
• Once the Default Gateway IP Address of the network devices are is changed, the network clients start sending the traffic destined to outside networks to the attacker's computer. • The attacker can now capture sensitive user data and launch a man-in- the-middle attack. • This is called as DHCP spoofing attack. • Attacker can also set up a rogue DNS server and deviate the end user traffic to fake web sites and launch phishing attacks. 23
How to configure DHCP Snooping? • DHCP snooping is a DHCP security feature which provides protection from DHCP starvation attacks by filtering untrusted DHCP messages. • DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP snooping feature can be used to differentiate between untrusted interfaces (where DHCP clients are connected) and trusted interfaces (where a DHCP server or another switches are connected). • Trusted ports (where a DHCP server or other switches are connected) can source all types of DHCP messages, including DHCP OFFER message. 24
• Untrusted ports are the ports where DHCP clients are connected. • Untrusted switch ports cannot source DHCP messages like : DHCPOFFER, DHCPACK, DHCPNAK, which are normally generated by a DHCP server. By default, all switch ports are untrusted. • When DHCP snooping is enabled, Cisco switches build a table known as DHCP snooping binding database (known as DHCP snooping binding table). • DHCP snooping binding table is used to identify and filter untrusted DHCP messages from the network. 25
• DHCP snooping binding table keeps track of DHCP addresses that are assigned to switch ports. • DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on untrusted switch ports. 26
• When a switch receives a packet on an untrusted switch port where DHCP snooping is enabled, with the help of information stored on DHCP snooping binding table the switch will be permitted or denied. • The packet is denied when 1. DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are received on an untrusted switch port. 2. The source MAC address does not match MAC address in the DHCP binding table entry. 27
How to enable DHCP snooping globally • SW1#configure terminal • SW1(config)#ip dhcp snooping • SW1(config)#exit • SW1# 28
How to enable DHCP snooping on a specific VLAN • SW1#configure terminal • SW1(config)#ip dhcp snooping vlan 500 • SW1(config)#exit • SW1# 29
How to configure a switch port as trusted • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#ip dhcp snooping trust • SW1(config-if)#exit • SW1(config)#exit • SW1# 30
How to view the DHCP snooping database • SW1#show ip dhcp snooping binding • MacAddress IpAddress Lease(sec) Type VLAN Interface • ------------------ --------------- ---------- ------------- ---- -------------------- • 00:00:AB:19:C6:00 172.16.10.183 690515 dhcp-snooping 500 Gigabitethernet0/1 • 00:00:AB:34:CB:00 172.16.10.184 690518 dhcp-snooping 500 Gigabitethernet0/2 • 00:00:AB:2A:FE:00 172.16.10.182 690512 dhcp-snooping 500 Gigabitethernet0/3 • 00:00:AB:F7:D0:00 172.16.10.181 690512 dhcp-snooping 500 Gigabitethernet0/4 • 00:00:AB:93:82:00 172.16.10.185 690518 dhcp-snooping 500 Gigabitethernet0/5 • Total number of bindings: 5 • How to view the DHCP Snooping configuration? • SW1#show ip dhcp snooping 31
ARP Spoofing attack 32
Introduction • Address Resolution Protocol (ARP) spoofing attack is a type of network attack where an attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area Network (LAN), with an aim to deviate and intercept network traffic. • In normal Address Resolution Protocol (ARP) operation, when a network device sends a ARP request (as broadcast) to find a MAC address corresponding to an IPv4 address, ARP reply comes from the legitimate network device which is configured with the IPv4 address which matches the ARP request. The ARP reply is cached by the requesting device in its ARP table. 33
• A network attacker can abuse Address Resolution Protocol (ARP) operation by responding ARP request, posing that it has the requested IPv4 address. • Once the attacker's MAC address is mapped to a authentic legitimate IPv4 address, the attacker will begin receiving any data that is intended for that legitimate IPv4 address. • Now the attacker can launch a man-in-the-middle attack can start capturing the network traffic for any sensitive user data. 34
• Attacker can also broadcast Gratuitous ARP message with the IPv4 address of default gateway. • Gratuitous ARP is a broadcast packet is used by network devices to announce any change in their IPv4 address or MAC address . • By sending Gratuitous ARP message with the IPv4 address of default gateway, attacker can pose as default gateway and capture all the network traffic moving outside the Local Area Network (LAN). 35
For an example of ARP spoofing attack, consider below topology. 36
• The IPv4 address of the default gateway is 172.16.0.1 and the corresponding MAC Address is 00:48:54:aa:aa:01. • The attacker (who is sitting at OmniSecu-PC-103) can broadcast a Gratuitous ARP message with the information that the MAC address corresponding to the IPv4 address of the default gateway (172.16.0.1) is 00:48:54:aa:aa:07 (which is attacker's own MAC address). • This will cause the devices in the network to update their ARP table with a wrong MAC address to IPv4 address mapping. ARP table of the computer has a poisoned mapping of the default gateway IPv4 address 172.16.0.1 to the wrong MAC addresses 00:48:54:aa:aa:07. 37
• The attacker will send ARP messages to the default gateway to deceive the default gateway that the MAC address corresponding to the computer "OmniSecu-PC-101" is 00:48:54:aa:aa:07 (which is attacker's own MAC address). • The ARP table of the router also has a poisoned IPv4 address to MAC address mapping. ARP table of the router has a poisoned entry mapping IPv4 address of computer "OmniSecu-PC- 101" 172.16.0.101 to the wrong MAC address 00:48:54:aa:aa:07. 38
• Now, whenever computer "OmniSecu-PC-101" sends traffic to the Internet, it will forward the network traffic to the attacker's computer, which it then forwards to the default gateway. • Since the attacker is still forwarding the traffic to the Internet via default gateway, "OmniSecu-PC-101" remains unaware that its traffic is being intercepted. • Now the attacker can try to capture the traffic for any sensitive user data 39
40
Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI) • Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing attacks. • Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled, Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. • If a mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard spoofed ARP packets. • DAI uses the DHCP snooping binding database to validate bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted ports. 41
• Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command "ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a port as trusted, use the command "ip arp inspection trust", at the interface level. • How to enable Dynamic ARP Inspection (DAI) on a specific VLAN • SW1#configure terminal • SW1(config)#ip arp inspection vlan 500 42
• How to configure a switch port as trusted • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#ip arp inspection trust • SW1(config-if)#exit • SW1(config)#exit 43
Thank You 44

More Related Content

PPTX
Proxy Server: A Comprehensive Guide
byHTS Hosting
 
PPT
VPN
byShiraz316
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PPTX
Firewall presentation
byyogendrasinghchahar
 
PPTX
Firewall and Types of firewall
byCoder Tech
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPTX
Network security
byfatimasaham
 
PPTX
Intrusion prevention system(ips)
byPapun Papun
 
Proxy Server: A Comprehensive Guide
byHTS Hosting
 
VPN
byShiraz316
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Firewall presentation
byyogendrasinghchahar
 
Firewall and Types of firewall
byCoder Tech
 
Intrusion detection and prevention system
byNikhil Raj
 
Network security
byfatimasaham
 
Intrusion prevention system(ips)
byPapun Papun
 

What's hot

PPTX
Latest Top 10 Types of Cyber Security Threats
byB R SOFTECH PVT LTD
 
PPTX
IDS VS IPS.pptx
byTapan Khilar
 
PDF
Endpoint Security
byAhmed Hashem El Fiky
 
PPTX
Cyber security landscape
byJisc
 
PPTX
Data center security
byDuressa Teshome
 
PPTX
Dos & Ddos Attack. Man in The Middle Attack
bymarada0033
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPTX
Denial of Service Attacks (DoS/DDoS)
byGaurav Sharma
 
PPTX
Network security
bySimranpreet Singh
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPTX
Network Security ppt
bySAIKAT BISWAS
 
PPT
Network security and protocols
byOnline
 
PPTX
Application security
byHagar Alaa el-din
 
PPTX
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
PPT
Cloud security
byTushar Kayande
 
PPT
Honeypot Basics
byManoj kumawat
 
PPSX
Intrusion detection system
bygaurav koriya
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
Latest Top 10 Types of Cyber Security Threats
byB R SOFTECH PVT LTD
 
IDS VS IPS.pptx
byTapan Khilar
 
Endpoint Security
byAhmed Hashem El Fiky
 
Cyber security landscape
byJisc
 
Data center security
byDuressa Teshome
 
Dos & Ddos Attack. Man in The Middle Attack
bymarada0033
 
Network Security Fundamentals
byRahmat Suhatman
 
Denial of Service Attacks (DoS/DDoS)
byGaurav Sharma
 
Network security
bySimranpreet Singh
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
intrusion detection system (IDS)
byAj Maurya
 
Web Application Penetration Testing
byPriyanka Aash
 
Network Security ppt
bySAIKAT BISWAS
 
Network security and protocols
byOnline
 
Application security
byHagar Alaa el-din
 
Vulnerability and Assessment Penetration Testing
byYvonne Marambanyika
 
Cloud security
byTushar Kayande
 
Honeypot Basics
byManoj kumawat
 
Intrusion detection system
bygaurav koriya
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 

Similar to Attack.pptx

PPT
Mitigating Layer2 Attacks
bydkaya
 
PPTX
Switch security
bynullowaspmumbai
 
PPTX
Network Security- port security.pptx
bySulSya
 
PDF
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
byVuz Dở Hơi
 
PPTX
CCNA 2 Routing and Switching v5.0 Chapter 2
byNil Menon
 
PDF
Network security
byTelematika Open Session
 
PPTX
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
PPT
Cap2 configuring switch
byHector Camba Lainez
 
PPTX
SRWE_Module_11.pptx
byJosimar Caitano
 
PDF
Cisco Switch How To - Secure a Switch Port
byIPMAX s.r.l.
 
PPT
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
DOCX
Switchport port security explained with examples
byteameassefa
 
PPT
Cisco Training CCNA and Routing Switching.ppt
byAniruddhSharma65
 
PPTX
Port Security
byNetProtocol Xpert
 
PPT
Cisco Security Training on ASA and FTD.ppt
byAniruddhSharma65
 
PPTX
KPUCC-Rs instructor ppt_chapter2_final
byFisal Anwari
 
PDF
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
byNetgear Italia
 
PPTX
Security Concerns in LANs.pptx
byjoko
 
PDF
Increasing network efficiency by preventing attacks at access layer
byeSAT Publishing House
 
PPTX
Chapter 13 : Introduction to switched networks
byteknetir
 
Mitigating Layer2 Attacks
bydkaya
 
Switch security
bynullowaspmumbai
 
Network Security- port security.pptx
bySulSya
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
byVuz Dở Hơi
 
CCNA 2 Routing and Switching v5.0 Chapter 2
byNil Menon
 
Network security
byTelematika Open Session
 
Layer Two ( 2 ) Security of Cisco switch
byssuserb1479b
 
Cap2 configuring switch
byHector Camba Lainez
 
SRWE_Module_11.pptx
byJosimar Caitano
 
Cisco Switch How To - Secure a Switch Port
byIPMAX s.r.l.
 
Cisco Security Training on ASA and FMC.ppt.ppt
byAniruddhSharma65
 
Switchport port security explained with examples
byteameassefa
 
Cisco Training CCNA and Routing Switching.ppt
byAniruddhSharma65
 
Port Security
byNetProtocol Xpert
 
Cisco Security Training on ASA and FTD.ppt
byAniruddhSharma65
 
KPUCC-Rs instructor ppt_chapter2_final
byFisal Anwari
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
byNetgear Italia
 
Security Concerns in LANs.pptx
byjoko
 
Increasing network efficiency by preventing attacks at access layer
byeSAT Publishing House
 
Chapter 13 : Introduction to switched networks
byteknetir
 

More from ISMT College

PPTX
Access Control List (ACL)
byISMT College
 
PPTX
VLAN
byISMT College
 
PPTX
Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)
byISMT College
 
PPTX
1. Introduction to Microprocessor.pptx
byISMT College
 
PPTX
Digital Logic BCA TU Chapter 2.2
byISMT College
 
PPTX
3. Addressing Modes in 8085 microprocessor.pptx
byISMT College
 
PPT
Time delays & counter.ppt
byISMT College
 
PPTX
Programmable logic devices
byISMT College
 
PPTX
Chapter 2.1 introduction to number system
byISMT College
 
PPTX
Register in Digital Logic
byISMT College
 
PPTX
Timing Diagram.pptx
byISMT College
 
PPTX
Chapter 1 Introduction to Digital Logic
byISMT College
 
PDF
Instruction.pdf
byISMT College
 
PPTX
Introduction to Counters
byISMT College
 
PPTX
4. Instruction Set Of MP 8085.pptx
byISMT College
 
PPTX
Chapter 1 Introduction to Digital Logic
byISMT College
 
PPTX
2. 8085-Microprocessor.pptx
byISMT College
 
PPTX
Basic Gates in Digital Logic
byISMT College
 
Access Control List (ACL)
byISMT College
 
VLAN
byISMT College
 
Adder & subtractor (Half adder, Full adder, Half subtractor, Full subtractor)
byISMT College
 
1. Introduction to Microprocessor.pptx
byISMT College
 
Digital Logic BCA TU Chapter 2.2
byISMT College
 
3. Addressing Modes in 8085 microprocessor.pptx
byISMT College
 
Time delays & counter.ppt
byISMT College
 
Programmable logic devices
byISMT College
 
Chapter 2.1 introduction to number system
byISMT College
 
Register in Digital Logic
byISMT College
 
Timing Diagram.pptx
byISMT College
 
Chapter 1 Introduction to Digital Logic
byISMT College
 
Instruction.pdf
byISMT College
 
Introduction to Counters
byISMT College
 
4. Instruction Set Of MP 8085.pptx
byISMT College
 
Chapter 1 Introduction to Digital Logic
byISMT College
 
2. 8085-Microprocessor.pptx
byISMT College
 
Basic Gates in Digital Logic
byISMT College
 

Recently uploaded

PDF
lecture on Microprocessor: 8288 bus controller
bysandeshupadhayay989
 
PPTX
Unit-1_Introduction to Microcontroller.pptx
bysidhantkulkarni1
 
PPT
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
PPTX
UNIT-1.pptx...................................
byRavinderKaur647214
 
PDF
LSI_Logic_Design_Chapter_1_for_computer_engineer.pdf
bykumathong
 
PPT
introduction to supply chain management.ppt
byrutujawawre
 
PDF
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
PPTX
psoc UNIT-3-PPT.pptx unit 3 psoc notes for anna univ regulatuin
bypandyselvieee
 
PPTX
PEMET413 -COMPOSITE MATERIALS -KTU MOD 1 LECTURE 4.pptx
byVINAY B
 
PPTX
GROUND BASED SENSOR it in agriculture system
bycmuthupriya
 
PPT
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
PPTX
Maintenance Mgt of CARDMILL in Bangladesh .pptx
byamzadbni6
 
PPT
Lecture Note on Forming processes for MME 213 2025-2026 Academic session.ppt...
byOcheriCyril2
 
PPT
lecture ppt on chlor_alkali_industries process
byrobo neon
 
PDF
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
PPTX
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
PPT
DECISION MAKING SYSTEMS Modelling and Support
byAnu S S
 
PPTX
Unit 5 Materials of plant construction.pptx
bytanvikothavale1112
 
PPTX
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
PPTX
ML Unit - III__________________________________________________.pptx
byvuresting6268
 
lecture on Microprocessor: 8288 bus controller
bysandeshupadhayay989
 
Unit-1_Introduction to Microcontroller.pptx
bysidhantkulkarni1
 
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
UNIT-1.pptx...................................
byRavinderKaur647214
 
LSI_Logic_Design_Chapter_1_for_computer_engineer.pdf
bykumathong
 
introduction to supply chain management.ppt
byrutujawawre
 
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
psoc UNIT-3-PPT.pptx unit 3 psoc notes for anna univ regulatuin
bypandyselvieee
 
PEMET413 -COMPOSITE MATERIALS -KTU MOD 1 LECTURE 4.pptx
byVINAY B
 
GROUND BASED SENSOR it in agriculture system
bycmuthupriya
 
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
Maintenance Mgt of CARDMILL in Bangladesh .pptx
byamzadbni6
 
Lecture Note on Forming processes for MME 213 2025-2026 Academic session.ppt...
byOcheriCyril2
 
lecture ppt on chlor_alkali_industries process
byrobo neon
 
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
DECISION MAKING SYSTEMS Modelling and Support
byAnu S S
 
Unit 5 Materials of plant construction.pptx
bytanvikothavale1112
 
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
ML Unit - III__________________________________________________.pptx
byvuresting6268
 

Attack.pptx

  • 1.
    Attacks Prepared by: RoshanKandel Masters in Information & Communication Engineering 1
  • 2.
    Introduction • MAC addressflooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address. • This type of attack is also known as CAM table overflow attack. • Within a very short time, the switch's MAC Address table is full with fake MAC address/port mappings. • Switch's MAC address table has only a limited amount of memory. • The switch can not save any more MAC address in its MAC Address table. 2
  • 3.
    Following images showsa Switch's MAC address table before and after flooding attack. 3
  • 4.
    • Once theswitch's MAC address table is full and it can not save any more MAC address, its enters into a fail-open mode and start behaving like a network Hub. • Frames are flooded to all ports, similar to broadcast type of communication. • Now, what is the benefit of the attacker? • The attacker's machine will be delivered with all the frames between the victim and another machines. • The attacker will be able to capture sensitive data from network. 4
  • 5.
    How to preventMAC flooding attacks? • Cisco switches are packed with in-built security feature against MAC flooding attacks, called as Port Security. • Port Security is a feature of Cisco Switches, which give protection against MAC flooding attacks. 5
  • 6.
    How to preventMAC flooding attacks by configuring switchport port-security 6
  • 7.
    Introduction • MAC addressflooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address. • MAC flooding attack can soon drain the memory resources allocated for MAC address table and later the switch will start behaving like a network Hub. • Port Security feature can protect the switch from MAC flooding attacks. 7
  • 8.
    • Port securityfeature can also protect the switch from DHCP starvation attacks, where a client start flooding the network with very large number of DHCP requests, each using a different source MAC address. • DHCP starvation attacks can result in depletion of available IP addresses in DHCP Server scope. • Port security feature is meant for access ports and it will not work on trunk ports, Ether-channel ports or SPAN (Switch Port Analyzer) ports. 8
  • 9.
    Concepts of PortSecurity • The goal of Port Security is to prevent a network attacker from sending large number of Ethernet Frames with forged fake source MAC addresses to a Switch interface. • This goal is achieved by the following settings, which are related with a switch interface. • 1) Enable Port Security Feature. Port security is disabled by default. "switchport port-security" (at interface configuration mode) command can be used to enables Port Security. • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#switchport port-security 9
  • 10.
    • 2) Specifya maximum number of MAC addresses allowed on that interface. Remember, it is possible that more that one genuine devices are connected to a switch interface (Example: a phone and a computer). • SW1(config-if)#switchport port-security maximum ? • <1-4097> Maximum addresses 10
  • 11.
    • 3) Definethe MAC Addresses of known devices, which are going to access the network via that interface. We can do this by either hardcoding the MAC addresses of known devices (statically define the known MAC addresses) or configure "sticky" MAC Address. • Sticky MAC addresses ("switchport port-security mac-address sticky") will allow us to enter dynamically learned MAC addresses to running config. • The default number of known secure MAC addresses is one. • SW1(config-if)#switchport port-security mac-address ? • H.H.H 48 bit mac address • sticky Configure dynamic secure addresses as sticky 11
  • 12.
    • 4) Specifyan action to do when a violation occurred on above conditions. • When a violation occurs in switch Port Security, Cisco switches can be configured to act in one of the three options explained below. • Protect: When "protect" option is configured and a violation occurred in switch port security, a switch interface drops frames with an unknown source MAC address after the switch port reaches maximum number of allowed MAC addresses. Frames with known source MAC addresses are allowed. No SNMP trap and a syslog message are generated. The "protect" option is the lowest port security option available. 12
  • 13.
    • Restrict: When"restrict" option is configured and a violation occurred in switch port security, a switch interface drops frames with an unknown source MAC address after the switch port reaches maximum number of allowed MAC addresses. The restrict option also sends an SNMP trap and a syslog message and increments a violation counter when a port security violation occurs. Shutdown option sends an SNMP trap and a syslog message also. It also increments a violation counter. 13
  • 14.
    • Shutdown: When"shutdown" option is configured and a violation occurred in switch port security, the interface is shut down. Shutdown option sends an SNMP trap and a syslog message also. It also increments a violation counter. Therefore, when a port security violation occurs, the interface is shutdown and no traffic is allowed on that interface. The "shutdown" option is the highest port security option available. • The default violation action is to shut down the port. • SW1(config-if)#switchport port-security violation protect/restrict/shutdown 14
  • 15.
    • How toview the Port Security related settings of an interface • SW1#show port-security interface gigabitethernet 0/0 • How to view the secure known MAC addresses configured for Port Security • SW1#show port-security address 15
  • 16.
    How to enableback an interface, after a Port Security violation related shutdown (Errdisable state) • Once a Port Security violation happened, the interface is shut down and it is in a state called as Errdisable state. Use any of the following methods to bring the interface up after a Port Security violation related shutdown. • One method to enable back an interface, after a Port Security violation related shutdown (Errdisable state) is to bring the interface down and again up by issuing the commands "shutdown" and "no shutdown". 16
  • 17.
    • SW1#configure terminal •SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#shutdown • SW1(config-if)#no shutdown • SW1(config-if)#exit • SW1(config)#exit • SW1# 17
  • 18.
    DHCP Starvation attacksand DHCP spoofing attacks 18
  • 19.
    What is DHCPstarvation attack? • Another type of network attack which is targeted to DHCP servers is known as DHCP starvation attack. • In a DHCP starvation attack, an attacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC addresses. • If the legitimate DHCP Server in the network start responding to all these bogus DHCP REQUEST messages, available IP Addresses in the DHCP server scope will be depleted within a very short span of time. 19
  • 20.
  • 21.
    • Once theavailable number of IP Addresses in the DHCP server is depleted, network attackers can then set up a rogue DHCP server and respond to new DHCP requests from network DHCP clients. • By setting up a rogue DHCP server, the attacker can now launch DHCP spoofing attack. 21
  • 22.
    What is DHCPspoofing attack? • After a DHCP starvation attack and setting up a rogue DHCP server, the attacker can start distributing IP addresses and other TCP/IP configuration settings to the network DHCP clients. • TCP/IP configuration settings include Default Gateway and DNS Server IP addresses. • Network attackers can now replace the original legitimate Default Gateway IP Address and DNS Server IP Address with their own IP Address. 22
  • 23.
    • Once theDefault Gateway IP Address of the network devices are is changed, the network clients start sending the traffic destined to outside networks to the attacker's computer. • The attacker can now capture sensitive user data and launch a man-in- the-middle attack. • This is called as DHCP spoofing attack. • Attacker can also set up a rogue DNS server and deviate the end user traffic to fake web sites and launch phishing attacks. 23
  • 24.
    How to configureDHCP Snooping? • DHCP snooping is a DHCP security feature which provides protection from DHCP starvation attacks by filtering untrusted DHCP messages. • DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP snooping feature can be used to differentiate between untrusted interfaces (where DHCP clients are connected) and trusted interfaces (where a DHCP server or another switches are connected). • Trusted ports (where a DHCP server or other switches are connected) can source all types of DHCP messages, including DHCP OFFER message. 24
  • 25.
    • Untrusted portsare the ports where DHCP clients are connected. • Untrusted switch ports cannot source DHCP messages like : DHCPOFFER, DHCPACK, DHCPNAK, which are normally generated by a DHCP server. By default, all switch ports are untrusted. • When DHCP snooping is enabled, Cisco switches build a table known as DHCP snooping binding database (known as DHCP snooping binding table). • DHCP snooping binding table is used to identify and filter untrusted DHCP messages from the network. 25
  • 26.
    • DHCP snoopingbinding table keeps track of DHCP addresses that are assigned to switch ports. • DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on untrusted switch ports. 26
  • 27.
    • When aswitch receives a packet on an untrusted switch port where DHCP snooping is enabled, with the help of information stored on DHCP snooping binding table the switch will be permitted or denied. • The packet is denied when 1. DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are received on an untrusted switch port. 2. The source MAC address does not match MAC address in the DHCP binding table entry. 27
  • 28.
    How to enableDHCP snooping globally • SW1#configure terminal • SW1(config)#ip dhcp snooping • SW1(config)#exit • SW1# 28
  • 29.
    How to enableDHCP snooping on a specific VLAN • SW1#configure terminal • SW1(config)#ip dhcp snooping vlan 500 • SW1(config)#exit • SW1# 29
  • 30.
    How to configurea switch port as trusted • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#ip dhcp snooping trust • SW1(config-if)#exit • SW1(config)#exit • SW1# 30
  • 31.
    How to viewthe DHCP snooping database • SW1#show ip dhcp snooping binding • MacAddress IpAddress Lease(sec) Type VLAN Interface • ------------------ --------------- ---------- ------------- ---- -------------------- • 00:00:AB:19:C6:00 172.16.10.183 690515 dhcp-snooping 500 Gigabitethernet0/1 • 00:00:AB:34:CB:00 172.16.10.184 690518 dhcp-snooping 500 Gigabitethernet0/2 • 00:00:AB:2A:FE:00 172.16.10.182 690512 dhcp-snooping 500 Gigabitethernet0/3 • 00:00:AB:F7:D0:00 172.16.10.181 690512 dhcp-snooping 500 Gigabitethernet0/4 • 00:00:AB:93:82:00 172.16.10.185 690518 dhcp-snooping 500 Gigabitethernet0/5 • Total number of bindings: 5 • How to view the DHCP Snooping configuration? • SW1#show ip dhcp snooping 31
  • 32.
  • 33.
    Introduction • Address ResolutionProtocol (ARP) spoofing attack is a type of network attack where an attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area Network (LAN), with an aim to deviate and intercept network traffic. • In normal Address Resolution Protocol (ARP) operation, when a network device sends a ARP request (as broadcast) to find a MAC address corresponding to an IPv4 address, ARP reply comes from the legitimate network device which is configured with the IPv4 address which matches the ARP request. The ARP reply is cached by the requesting device in its ARP table. 33
  • 34.
    • A networkattacker can abuse Address Resolution Protocol (ARP) operation by responding ARP request, posing that it has the requested IPv4 address. • Once the attacker's MAC address is mapped to a authentic legitimate IPv4 address, the attacker will begin receiving any data that is intended for that legitimate IPv4 address. • Now the attacker can launch a man-in-the-middle attack can start capturing the network traffic for any sensitive user data. 34
  • 35.
    • Attacker canalso broadcast Gratuitous ARP message with the IPv4 address of default gateway. • Gratuitous ARP is a broadcast packet is used by network devices to announce any change in their IPv4 address or MAC address . • By sending Gratuitous ARP message with the IPv4 address of default gateway, attacker can pose as default gateway and capture all the network traffic moving outside the Local Area Network (LAN). 35
  • 36.
    For an exampleof ARP spoofing attack, consider below topology. 36
  • 37.
    • The IPv4address of the default gateway is 172.16.0.1 and the corresponding MAC Address is 00:48:54:aa:aa:01. • The attacker (who is sitting at OmniSecu-PC-103) can broadcast a Gratuitous ARP message with the information that the MAC address corresponding to the IPv4 address of the default gateway (172.16.0.1) is 00:48:54:aa:aa:07 (which is attacker's own MAC address). • This will cause the devices in the network to update their ARP table with a wrong MAC address to IPv4 address mapping. ARP table of the computer has a poisoned mapping of the default gateway IPv4 address 172.16.0.1 to the wrong MAC addresses 00:48:54:aa:aa:07. 37
  • 38.
    • The attackerwill send ARP messages to the default gateway to deceive the default gateway that the MAC address corresponding to the computer "OmniSecu-PC-101" is 00:48:54:aa:aa:07 (which is attacker's own MAC address). • The ARP table of the router also has a poisoned IPv4 address to MAC address mapping. ARP table of the router has a poisoned entry mapping IPv4 address of computer "OmniSecu-PC- 101" 172.16.0.101 to the wrong MAC address 00:48:54:aa:aa:07. 38
  • 39.
    • Now, whenevercomputer "OmniSecu-PC-101" sends traffic to the Internet, it will forward the network traffic to the attacker's computer, which it then forwards to the default gateway. • Since the attacker is still forwarding the traffic to the Internet via default gateway, "OmniSecu-PC-101" remains unaware that its traffic is being intercepted. • Now the attacker can try to capture the traffic for any sensitive user data 39
  • 40.
  • 41.
    Preventing ARP spoofingattacks with Dynamic ARP inspection (DAI) • Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing attacks. • Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled, Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. • If a mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard spoofed ARP packets. • DAI uses the DHCP snooping binding database to validate bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted ports. 41
  • 42.
    • Dynamic ARPInspection (DAI) can be enabled globally per VLAN using the command "ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a port as trusted, use the command "ip arp inspection trust", at the interface level. • How to enable Dynamic ARP Inspection (DAI) on a specific VLAN • SW1#configure terminal • SW1(config)#ip arp inspection vlan 500 42
  • 43.
    • How toconfigure a switch port as trusted • SW1#configure terminal • SW1(config)#interface gigabitethernet 0/0 • SW1(config-if)#ip arp inspection trust • SW1(config-if)#exit • SW1(config)#exit 43
  • 44.