The document discusses various network attacks such as unauthorized port access, DHCP spoofing, DHCP starvation, ARP spoofing, IP spoofing, CAM table overflows, VLAN hopping, spanning tree attacks, broadcast storms, routing protocol attacks, and SYN floods. It also provides recommendations to mitigate each attack such as configuring port security, DHCP snooping, dynamic ARP inspection, IP source guard, storm control, BPDU guard, root guard, authentication for routing protocols, and firewalls/IDS systems.

1. Attack And Defense
Network Security

2. Unauthorized Port Access
● Attacker illegally connect to a switch port.

3. Mitigate Unauthorized Port Access
● It can be mitigated by configuring Port Security on switch.
● Port-security can set specific MAC address that is allowed
to connect to a port.
Interface fastethernet 0/0
switchport port­security
switchport port­security mac­addr aaa.bbb.ccc

4. Mitigate Unauthorized Port Access
● Implement Port Based Access Control (dot1x).
– Provides authentication to devices wishing to attach to
a LAN / WLAN.

5. DHCP Spoofing Attack
● Attacker runs DHCP server software and replies to DHCP
request from clients.
● It can Provide Invalid IP Information.
● Or, Assign Itself as Default GW / DNS Server.
● Then, Perform Man-In-The-Middle Attack.

6. Mitigate DHCP Spoofing Attack
● DHCP Snooping provides DHCP Control by filtering
untrusted DHCP messages.

7. DHCP Starvation Attack
● Attacker sends a flood of DHCP Request with spoofed
MAC address.
● It can exhaust the address space available on DHCP
Server.
● New legitimate Client can’t connect to network.
● Or, attacker then execute DHCP Spoofing Attack.
– Attacker DHCP Server has no competition responding
to new DHCP Request

8. Mitigate DHCP Starvation Attack
● DHCP Snooping rate limiting can prevent a flood of DHCP
Request from an interface.
Interface fastethernet 0/0
ip dhcp snooping limit rate 15

9. ARP Spoofing Attack
● Attacker send false ARP over LAN, results in linking it’s
MAC with IP address of legitimate device / server.
– Attacker may then capture private data, modify data, or
hijack network session.
● ARP spoofing can also be used to form DOS attack by
linking multiple IP address with a single target’s MAC.

10. Mitigate ARP Spoofing Attack
● Dynamic ARP Inspection
● Intercepting and Validating all ARP request/response.
● Validity is based on MAC-to-IP address binding that are
stored in DHCP snooping database.
● Invalid ARP will be dropped.

11. xx
IP Spoofing Attack
● Attacker impersonate other machine by modifying packets
header with other IP address. The purpose :
– Hide it’s identity.
– Gain access to a network.
– Launch reflected DDoS attack, etc.

12. Mitigate IP Spoofing Attack
● IP Source Guard.
● Operate like Dynamic ARP Inspection, but looks at every
packets, instead of ARP packets.
● Requires DHCP Snooping to be enabled.

13. CAM Table Overflows
● CAM tables are limited in size.
● Attacker floods the switch with myriad of fake source MAC
addresses until CAM table is full.
● Switch begins to act like a hub, thus attacker can see all
frames being sent from and to other host.

14. Mitigate CAM Table Overflow
● It can be mitigated by configuring Port Security on switch.
● Port Security can limit the maximum number of MAC
address on a port.
Interface fastethernet 0/0
switchport port­security
switchport port­security max 1

15. VLAN Hopping : switch spoofing
● Attacker Negotiate trunk link to the switch exploiting DTP
features.
● Attacker becomes a member of all vlans and can “hop”
between VLANs.

16. VLAN Hopping : double tagging
● Attacker prepend two VLAN tags to packets that it
transmits.
● This 2nd tag allow attacker to “hop” to other VLANs.
● Double tagging works even if DTP is disabled.

17. Mitigates VLAN Hopping
● Configure ports connected to user as access ports.
● Disable DTP features.
● Change native VLAN to unused VLAN.

18. Spanning-Tree Attack
● Attacker negotiate trunk link with the switch.
● Attacker sends superior BPDU thus becomes the root
bridge.
● All traffic passes through the root bridge, thus attacker
have access to all traffic.

19. Mitigate Spanning Tree Attack
● Enable BPDU Guard
– Immediately disables a port that receives BPDU
● Enable Root Guard
– Prevents inappropriate switch from becoming the root
bridge.

20. Broadcast Storm Attack
● Attacker send extreme amounts of broadcast/multicast
traffic.
● It then results in excessive traffic and degrading network
performances.

21. Mitigate Broadcast Storm Attack
● Storm control feature can prevent LAN ports being
disrupted by excessive broadcast, multicast, or unicast
traffic.
Interface fastethernet 0/0
storm­control broadcast level bps 1m 500k

22. Routing Protocol Attack
● Attacker establish adjacency with official router running
unauthenticated routing protocols.
● It then illegally advertise ip addresses with more trusted
prefix length.
● Thus they can perform :
– Man in the middle attack.
– Phishing.
– Etc.

23. Routing Protocol Attack
● Implement routing protocol with authentication.
● Use passive-interface on the router wherever necessary.

24. SYN Flood
● Attacker repeatedly send SYN packet to a server using
fake IP address.
● The purpose is to consume server resource and make it
unresponsive to legitimate traffic.
Normal Connection

25. SYN Flood
● Known as half-open attack.
● Is used to perform DOS attack.

26. Mitigate SYN Flood Attack
● Filtering
● Firewalls
– It can SYN attack by spoofing SYN-ACK to attacker.
● Using IDS / IPS
– i.e : snort (opensource IDS/IPS)

27. To be continued ...