NETE46301 Data Link Layer Security Lecture 3 Supakorn Kungpisdan [email protected].
-
Upload
leona-rose -
Category
Documents
-
view
223 -
download
1
Transcript of NETE46301 Data Link Layer Security Lecture 3 Supakorn Kungpisdan [email protected].
NETE46302
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
NETE46303
MAC Address Spoofing
• What is MAC address spoofing?• What is its purpose?• Explain how it works
NETE46304
Passive VS Active Sniffing
• Passive sniffing involves using a sniffer (Ethereal or Tcpdump) to monitor incoming packets
• Passive sniffing relies on a feature of network cards called promiscuous mode
• When placed in promiscuous mode, a network card will pass all packets on to the operating system, rather than just those unicast or braodcast to the host
• However, passive sniffing does not work well in a switched network
• The attacker can sniff traffic within his/her VLAN
NETE46305
Active Sniffing
• Active sniffing relies on injecting packets into the network that causes traffic that should not be sent to your system, to be sent to your system
• Active sniffing is required to bypass the segmentation that switches provide
• In wireless networks, passive sniffing involves sending no packets, and monitoring the packets sent by others.
• Active wireless sniffing involves sending out multiple network probes to identify APs
NETE46306
ARP Poisoning
• Performing active sniffing on switches ethernet
NETE46307
ARP Poisoning (cont.)
• By spoofing the default gateway’s IP address, all hosts on the subnet will router through the attacker’s machine– You have to poison the ARP cache of every host on the subnet– Better if targeting a single host on the network– Should not spoof the IP of another client
• To perform ARP poisoning,– # arp –s <victim IP> <our MAC address> pub
• Alternatively, use Cain and Abel
NETE46308
Cain and Abel
NETE46309
WinArpAttacker
NETE463010
ARP Flooding
• ARP flooding is another ARP Cache Poisoning technique aimed at network switches
• Aka CAM Table Overflow attack• Some switches will drop into a hub-like mode when the
CAM table is flooded• CAM (Content Addressable Memory) is a physical part
of a switch• CAM stores information about MAC addresses available
on each physical port and their associated VLAN parameters
• CAM is a normal memory limited in size• Can also use WinArpAttacker to perform ARP Flood
NETE463011
ARP Flooding (cont.)
• In 1999, Ian Vitek created a tool called macof, later integrated in dsniff, which floods with invalid source MAC addresses (up to 155,000/minute)
• This quickly fills up the CAM table of the switch to which the computer running this tool is connected, and also the adjacent switches
• The switch is too busy to enforce its port security and broadcasts all traffic to every port in the network
• Thus making possible a MITM attack – the attacker can start sniffing network traffic
NETE463012
DHCP
NETE463013
DHCP Starvation Attack
• Consuming the IP address space allocated by a DHCP server
• An attacker broadcasts a large number of DHCP requests using spoofed MAC addresses
• The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients
• Leads to DoS
NETE463014
Rogue DHCP Server
• Set up a rogue DHCP server serving clients with false details– E.g. giving them its own IP as default router– Result in all the traffic passing through the attacker’s
computer
• Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive
• Both attacks can be accomplished using gobbler
NETE463015
Preventing DHCP Attacks
• DHCP Starvation Attack can be prevented by using port security features that don’t allow more than X MAC addresses on one port
• Rogue DHCP is more difficult to prevent– May implement “Authentication for DHCP
Messages” (RFC3118)– Some smart and expensive switches have “DHCP
snooping” functions which filters DHCP messages from non-trusted hosts
• It contains database of trusted and untrusted interfaces
NETE463016
DHCP Snooping
• DHCP snooping provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table
• An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network
• DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch
• An untrusted interface is an interface that is configured to receive messages from outside the network or firewall
• A trusted interface is an interface that is configured to receive only messages from within the network
NETE463017
DHCP Snooping (cont.)
• DHCP snooping acts like a firewall between untrusted hosts and DHCP servers.
• It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch
• DHCP snooping is used to prevent rogue DHCP server• If the DHCPOFFER came from an untrusted interface,
the switch shuts down the port• The switch trusts the interface to which the authorized
DHCP server is connected
NETE463018
DHCP Snooping (cont.)
NETE463019
Enabling DHCP Snooping
NETE463020
Adding Information to DHCP Snooping DB
NETE463021
IP Source Guard
• IP Source Guard is enabled on a DHCP snooping untrusted Layer 2 port
• For each untrusted Layer 2 port, there are two levels of IP traffic security filtering:– Source IP address filter: IP traffic is filtered based on its source
IP address. Only IP traffic with a source IP address that matches the IP source binding entry is permitted
– Source IP and MAC address filter: IP traffic is filtered based on its source IP address and its MAC address; only IP traffic with source IP and MAC addresses matching the IP source binding entry are permitted
NETE463022
Configuring IP Source Guard
NETE463023
Dynamic ARP Inspection
• For cisco devices, it is called Dynamic ARP Inspection (DAI)
• DAI is a security feature that validates ARP packets in a network
• It intercepts, log, and discards ARP packets with invalid IP-to-MAC address bindings.
• DAI ensures that only valid ARP requests and responses are relayed.
• The switch performs these activities:– Intercepts all ARP requests and responses on untrusted ports– Verifies that each of these intercepted packets has a valid IP-to-
MAC address binding before updating the local ARP cach or before forwarding the packet to the appropriate destination
– Drops invalid packets
NETE463024
Dynamic ARP Inspection (cont.)
• Dynamic ARP inspection determines the validity of an ARP packet based on IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database
• In non-DHCP environments, DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses
• If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks
NETE463025
DAI (cont.)
• By default, all interfaces are untrusted• The switch does not check ARP packets that it receives
from the other switch in the trusted interface• For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating local cache and before forwarding the packet to the appropriate destination– Firstly it checks from ARP access control list– If no such ACL, check from DHCP snooping database
NETE463026
DAI (cont.)
NETE463027
Configuring DAI in DHCP Environments
• Both Switch A and B are running DAI on VLAN1 where the hosts are located
• A DHCP server is connected to Switch A. both hosts acquire IP addresses from the same DHCP server
• Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2
NETE463028
Configuring ARP ACLs in non-DHCP Environments
• Switch B does not support DAI or DHCP snooping, but Switch A does
• If configuring port 1 on Switch A as trusted, a security hole is created because Switch A and Host 1 could be attacked by either Switch B or Host 2
• Thus, configure port 1 on Switch A as untrusted• If the IP address of Host 2 is not static, such that it is
impossible to apply the ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use router to route packets between them
NETE463029
Configuring ARP ACLs in non-DHCP Environments (cont.)
NETE463030
Routing Games
• One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor
• Sending a fake route advertisement via the RIP, declaring yourself as the default gateway
• All outbound traffic will pass though your host then go to the real default gateway
• But may not receive returned traffic unless you can modify the default gateway’s routing table
NETE463031
Cracking WEP
• WEP is based on RC4 cipher• RC4 is a stream cipher• RC4 itself is very secure; it is employed by the
military for use in highly sensitive operations• However vendors made a mistake while
implementing the WEP protocol– They reuse the Initialization Vector
NETE463032
RC4 Operation
NETE463033
Wireless Active Attacks
• Active wireless attack encompass spoofing and DoS attacks
• Spoofing: Use Netstumbler to identify the MAC address of the victim and modify one’s MAC address to match it
• DoS: sending multiple control packets to a wireless network
NETE463034
Jamming Attacks
• Jamming attacks rely on using radio frequency to interfere with wireless transmissions
• This will effectively perform a DoS attack on the wireless network
NETE463035
MITM Attacks
• Setting your wireless card up in an identical configuration as an existing hotspot (including spoofed SSID)
• A client is unable to distinguish the legitimate AP from your spoofed AP without running additional authentication protocols on top of the wireless media.
NETE463036
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
NETE463037
Using Encryption
• The use of encryption, assuming its mechanism is valid, will thwart any attacker attempting to passively monitor the network
• IPSec and OpenVPN• However, these technologies are not widely
used on the internet outside of large enterprises• SSH, SSL, PGP, S/MIME
NETE463038
Secure Shell (SSH)
• A cryptographic secure replacement of the standard UNIX Telnet, Remote Login (rlogin), Remote Shell (RSH), and Remote Copy Protocol (RCP) commands
• It consists of both a client and a server that use public-key cryptography to provide session encryption
• OpenSSH, PuTTY
NETE463039
Roadmap
• Attacking Data Link Layer
• Defending Your Network from Sniffers
• Employing Detection Techniques
NETE463040
Local Detection
• Many OS provide a mechanism to determine whether a network interface is running in promiscuous mode
• Using ifconfig command on UNIX• However, if the host is compromised, an
attacker may replace ifconfig command with the one that does not report interfaces in promiscuous mode
NETE463041
Local Detection (cont.)
NETE463042
Network Detection: DNS Lookups
• Performing reverse DNS lookup possibly can find a sniffing host– Forward DNS lookup: resolve IP from given hostname– Reverse DNS lookup: resolve hostname from given IP
• Additional network traffic is generated; mainly the DNS query to look up the network address. – It is possible to monitor the network for hosts that are performing
a large number of address lookups alone
• Alternatively, we can generate a false network connection from a non-active address. Then we can monitor the network for DNS queries that attempt to resolve the faked address, giving away the sniffing host
NETE463043
Network Detection: Latency
• Detect latency variation in the host’s response to network traffic (i.e. ping)
1. Start with probing (by pinging) a suspected host initially, then sample the response time
2. Generate a large amount of network traffic
3. Probe the host again and sample the response time
• If the response time changes significantly, the host may potentially be a monitoring host
NETE463044
Network Detection: Driver Bugs
• In some Linux OS, there is a bug in a common Ethernet driver
• If the host is running in promiscuous mode, the OS failed to perform Ethernet address checks
• Normally, packets that did not correspond to the host’s MAC address would have been dropped at the data-link layer.
• If the host is running in promiscuous mode, it will not drop the packet with invalid MAC address
NETE463045
Network Detection: Driver Bugs (cont.)
• To determine whether the host was in promiscuous mode by sending an ICMP ping request to the host, with a valid IP address and an invalid Ethernet address.
• If the host responded to this ping request, it was determined to be running in promiscuous mode
NETE463046
To Read
• Hack-The-Stack: Page 104-123
• Quiz: 5%
NETE4630 47
Question?
Next week
Network Layer Security