Saturday 20 February 2016

ASA: Layer 2 Security

This post will outline some of the most common attacks at layer 2 and how to help prevent / mitigate such attacks.

VLAN Hopping - Switch Spoofing: This is when an attacker attempts to connect to a switchport in the hope that dynamic negotiation of trunking is turned on - the attacker will then use DTP to spoof switch in order to then access the VLANs in the trunk.

This attack can be mitigated by simply ensuring that the switchports are set to access mode e.g.:

switchport mode access

or simply shutting down any used ports!

VLAN Hopping - Double Tagging: This is where an attacker sends a frame through a switchport connected to the native VLAN (otherwiseit won't work) - this frame has an outer and inner tag - the outer one matches the access port on the first switch and the outer tag is then stripped leaving the inner one in place (which has the VLAN you are trying to get access to) - the frame then gets flooded out all ports because it's destination is unknown - including the switchport connected (trunked) to another switch where the residing VLAN you want is - the second switch will then see that VLAN tag and forward that frame out on the target VLAN to the victim.

Note: This attack is unidirectional - as when the receiving host receives the frame it will have no path back to the source VLAN!

In order to mitigate this attack you should ensure that access ports are never assigned to the native VLAN ever!

ARP Spoofing: This occurs when an attacker spoofs ARP packets - by responding to ARP requests of which it should not be - so that the attacker claims its MAC address as corresponding to an IP of which it is not assigned.

Since ARP technically involves layer 2 and 3 this kind of attack will only affect layer 3 devices e.g. routers, firewalls, servers and so on.

Each type of device will typically have it's own ARP cache timeout - most Cisco routers hold the ARP details in it's table for 4 hours.

MAC (CAM) Spoofing: This is when an attacker sends a frame with someone else's MAC address in the source - in turn the CAM table is updated with this information and then all frames are forwarded out to the attacker.

Typically Cisco devices hold / update this information for 5 minutes by default.

This kind of attack can be mitigated using port-security - by defining a single ma address for the switchport:

switchport port-security mac-address sticky

MAC (CAM) Flooding: This is when an attacker sends a huge amount of frames from spoofed source mac addresses in the hope of exhausting the CAM table in a VLAN. This in turn prevents the majority of the legitimate traffic from being re-learnt / added to the CAM table and as a result traffic is flooded out of all ports (except the source obviously!)

MAC Flooding attacks can be mitigated with port security in a number of ways - for example by limiting the number of source MAC addresses entering the switchport:

switchport port-security maximum 10

or simply only allowing only a single mac address on the switchport:

switchport port-security mac-address sticky

and assign a corresponding action:

switchport port-security violation shutdown

STP - BPDU Denial of Service: This is simply where the switch is flooded with TCN (Topology Notification Change) frames or other information - which hits the CPU.

STP - Root Bridge Takeover: This is where a rouge switch claims to be root - hence changing the physical paths / patterns of traffic.

We can deploy the 'root guard' feature on a specific switchport to ensure that if any better BPDU packets from a switch will be rejected and the switch will remain the root. Or we can use BPDU guard that will close down the port when it see's BPDU's entering it - preventing someone from plugging a switch into the port.


Post a Comment