NETE4630 1

Data Link Layer Security

Lecture 3Supakorn Kungpisdan

supakorn@mut.ac.th

NETE46302

Roadmap

• Attacking Data Link Layer

• Defending Your Network from Sniffers

• Employing Detection Techniques

NETE46303

MAC Address Spoofing

• What is MAC address spoofing?• What is its purpose?• Explain how it works

NETE46304

Passive VS Active Sniffing

• Passive sniffing involves using a sniffer (Ethereal or Tcpdump) to monitor incoming packets

• Passive sniffing relies on a feature of network cards called promiscuous mode

• When placed in promiscuous mode, a network card will pass all packets on to the operating system, rather than just those unicast or braodcast to the host

• However, passive sniffing does not work well in a switched network

• The attacker can sniff traffic within his/her VLAN

NETE46305

Active Sniffing

• Active sniffing relies on injecting packets into the network that causes traffic that should not be sent to your system, to be sent to your system

• Active sniffing is required to bypass the segmentation that switches provide

• In wireless networks, passive sniffing involves sending no packets, and monitoring the packets sent by others.

• Active wireless sniffing involves sending out multiple network probes to identify APs

NETE46306

ARP Poisoning

• Performing active sniffing on switches ethernet

NETE46307

ARP Poisoning (cont.)

• By spoofing the default gateway’s IP address, all hosts on the subnet will router through the attacker’s machine– You have to poison the ARP cache of every host on the subnet– Better if targeting a single host on the network– Should not spoof the IP of another client

• To perform ARP poisoning,– # arp –s <victim IP> <our MAC address> pub

• Alternatively, use Cain and Abel

NETE46308

Cain and Abel

NETE46309

WinArpAttacker

NETE463010

ARP Flooding

• ARP flooding is another ARP Cache Poisoning technique aimed at network switches

• Aka CAM Table Overflow attack• Some switches will drop into a hub-like mode when the

CAM table is flooded• CAM (Content Addressable Memory) is a physical part

of a switch• CAM stores information about MAC addresses available

on each physical port and their associated VLAN parameters

• CAM is a normal memory limited in size• Can also use WinArpAttacker to perform ARP Flood

NETE463011

ARP Flooding (cont.)

• In 1999, Ian Vitek created a tool called macof, later integrated in dsniff, which floods with invalid source MAC addresses (up to 155,000/minute)

• This quickly fills up the CAM table of the switch to which the computer running this tool is connected, and also the adjacent switches

• The switch is too busy to enforce its port security and broadcasts all traffic to every port in the network

• Thus making possible a MITM attack – the attacker can start sniffing network traffic

NETE463012

DHCP

NETE463013

DHCP Starvation Attack

• Consuming the IP address space allocated by a DHCP server

• An attacker broadcasts a large number of DHCP requests using spoofed MAC addresses

• The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients

• Leads to DoS

NETE463014

Rogue DHCP Server

• Set up a rogue DHCP server serving clients with false details– E.g. giving them its own IP as default router– Result in all the traffic passing through the attacker’s

computer

• Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive

• Both attacks can be accomplished using gobbler

NETE463015

Preventing DHCP Attacks

• DHCP Starvation Attack can be prevented by using port security features that don’t allow more than X MAC addresses on one port

• Rogue DHCP is more difficult to prevent– May implement “Authentication for DHCP

Messages” (RFC3118)– Some smart and expensive switches have “DHCP

snooping” functions which filters DHCP messages from non-trusted hosts

• It contains database of trusted and untrusted interfaces

NETE463016

DHCP Snooping

• DHCP snooping provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table

• An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network

• DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch

• An untrusted interface is an interface that is configured to receive messages from outside the network or firewall

• A trusted interface is an interface that is configured to receive only messages from within the network

NETE463017

DHCP Snooping (cont.)

• DHCP snooping acts like a firewall between untrusted hosts and DHCP servers.

• It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch

• DHCP snooping is used to prevent rogue DHCP server• If the DHCPOFFER came from an untrusted interface,

the switch shuts down the port• The switch trusts the interface to which the authorized

DHCP server is connected

NETE463018

DHCP Snooping (cont.)

NETE463019

Enabling DHCP Snooping

NETE463020

Adding Information to DHCP Snooping DB

NETE463021

IP Source Guard

• IP Source Guard is enabled on a DHCP snooping untrusted Layer 2 port

• For each untrusted Layer 2 port, there are two levels of IP traffic security filtering:– Source IP address filter: IP traffic is filtered based on its source

IP address. Only IP traffic with a source IP address that matches the IP source binding entry is permitted

– Source IP and MAC address filter: IP traffic is filtered based on its source IP address and its MAC address; only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted

NETE463022

Configuring IP Source Guard

NETE463023

Dynamic ARP Inspection

• For cisco devices, it is called Dynamic ARP Inspection (DAI)

• DAI is a security feature that validates ARP packets in a network

• It intercepts, log, and discards ARP packets with invalid IP-to-MAC address bindings.

• DAI ensures that only valid ARP requests and responses are relayed.

• The switch performs these activities:– Intercepts all ARP requests and responses on untrusted ports– Verifies that each of these intercepted packets has a valid IP-to-

MAC address binding before updating the local ARP cach or before forwarding the packet to the appropriate destination

– Drops invalid packets

NETE463024

Dynamic ARP Inspection (cont.)

• Dynamic ARP inspection determines the validity of an ARP packet based on IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database

• In non-DHCP environments, DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses

• If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks

NETE463025

DAI (cont.)

• By default, all interfaces are untrusted• The switch does not check ARP packets that it receives

from the other switch in the trusted interface• For untrusted interfaces, the switch intercepts all ARP

requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating local cache and before forwarding the packet to the appropriate destination– Firstly it checks from ARP access control list– If no such ACL, check from DHCP snooping database

NETE463026

DAI (cont.)

NETE463027

Configuring DAI in DHCP Environments

• Both Switch A and B are running DAI on VLAN1 where the hosts are located

• A DHCP server is connected to Switch A. both hosts acquire IP addresses from the same DHCP server

• Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2

NETE463028

Configuring ARP ACLs in non-DHCP Environments

• Switch B does not support DAI or DHCP snooping, but Switch A does

• If configuring port 1 on Switch A as trusted, a security hole is created because Switch A and Host 1 could be attacked by either Switch B or Host 2

• Thus, configure port 1 on Switch A as untrusted• If the IP address of Host 2 is not static, such that it is

impossible to apply the ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use router to route packets between them

NETE463029

Configuring ARP ACLs in non-DHCP Environments (cont.)

NETE463030

Routing Games

• One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor

• Sending a fake route advertisement via the RIP, declaring yourself as the default gateway

• All outbound traffic will pass though your host then go to the real default gateway

• But may not receive returned traffic unless you can modify the default gateway’s routing table

NETE463031

Cracking WEP

• WEP is based on RC4 cipher• RC4 is a stream cipher• RC4 itself is very secure; it is employed by the

military for use in highly sensitive operations• However vendors made a mistake while

implementing the WEP protocol– They reuse the Initialization Vector

NETE463032

RC4 Operation

NETE463033

Wireless Active Attacks

• Active wireless attack encompass spoofing and DoS attacks

• Spoofing: Use Netstumbler to identify the MAC address of the victim and modify one’s MAC address to match it

• DoS: sending multiple control packets to a wireless network

NETE463034

Jamming Attacks

• Jamming attacks rely on using radio frequency to interfere with wireless transmissions

• This will effectively perform a DoS attack on the wireless network

NETE463035

MITM Attacks

• Setting your wireless card up in an identical configuration as an existing hotspot (including spoofed SSID)

• A client is unable to distinguish the legitimate AP from your spoofed AP without running additional authentication protocols on top of the wireless media.

NETE463036

Roadmap

• Attacking Data Link Layer

• Defending Your Network from Sniffers

• Employing Detection Techniques

NETE463037

Using Encryption

• The use of encryption, assuming its mechanism is valid, will thwart any attacker attempting to passively monitor the network

• IPSec and OpenVPN• However, these technologies are not widely

used on the internet outside of large enterprises• SSH, SSL, PGP, S/MIME

NETE463038

Secure Shell (SSH)

• A cryptographic secure replacement of the standard UNIX Telnet, Remote Login (rlogin), Remote Shell (RSH), and Remote Copy Protocol (RCP) commands

• It consists of both a client and a server that use public-key cryptography to provide session encryption

• OpenSSH, PuTTY

NETE463039

Roadmap

• Attacking Data Link Layer

• Defending Your Network from Sniffers

• Employing Detection Techniques

NETE463040

Local Detection

• Many OS provide a mechanism to determine whether a network interface is running in promiscuous mode

• Using ifconfig command on UNIX• However, if the host is compromised, an

attacker may replace ifconfig command with the one that does not report interfaces in promiscuous mode

NETE463041

Local Detection (cont.)

NETE463042

Network Detection: DNS Lookups

• Performing reverse DNS lookup possibly can find a sniffing host– Forward DNS lookup: resolve IP from given hostname– Reverse DNS lookup: resolve hostname from given IP

• Additional network traffic is generated; mainly the DNS query to look up the network address. – It is possible to monitor the network for hosts that are performing

a large number of address lookups alone

• Alternatively, we can generate a false network connection from a non-active address. Then we can monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host

NETE463043

Network Detection: Latency

• Detect latency variation in the host’s response to network traffic (i.e. ping)

1. Start with probing (by pinging) a suspected host initially, then sample the response time

2. Generate a large amount of network traffic

3. Probe the host again and sample the response time

• If the response time changes significantly, the host may potentially be a monitoring host

NETE463044

Network Detection: Driver Bugs

• In some Linux OS, there is a bug in a common Ethernet driver

• If the host is running in promiscuous mode, the OS failed to perform Ethernet address checks

• Normally, packets that did not correspond to the host’s MAC address would have been dropped at the data-link layer.

• If the host is running in promiscuous mode, it will not drop the packet with invalid MAC address

NETE463045

Network Detection: Driver Bugs (cont.)

• To determine whether the host was in promiscuous mode by sending an ICMP ping request to the host, with a valid IP address and an invalid Ethernet address.

• If the host responded to this ping request, it was determined to be running in promiscuous mode

NETE463046

To Read

• Hack-The-Stack: Page 104-123

• Quiz: 5%

NETE4630 47

Question?

Next week

Network Layer Security