0

Switch security & common attacks By admin 18 June 2008 at 5:13 pm and have

Security on a switch

eMac address flooding or overflow attacks
Switches learn a source MAC address from the MAC address table
If a frame enters a switch and it does not find the destination MAC address in the table, the switch acts like a hub and floods it out all ports. Mac address tables have a limited size.
MAC address flooding uses this limitation to bombard the switch with fake addresses until the table is full. The switch then enters fail-open mode and will act like a hub.
As a result, an attacker can see all of the frames passing through the switch.

Spoofing Attacks
Involve spoofing a DHCP server
The intruder replies to dhcp requests offering IP info which says it is the gateway or DNS server. The clients then forward packets to the intruder, who then forwards them after copying their contents. This is called a man in the middle attack. The intruder acts as a proxy for all incoming or outgoing data.

Address Resolution Protocol (ARP) spoofing
Attacking device crafts ARP replies intended for valid hosts.
The attacking device’s MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device.
Solution
Dynamic ARP Inspection
DHCP snooping
Port security

DHCP sarvation attack -
An Attacker can continually request IP addresses while changing the source MAC address. This will eventually cause all leases to be allocated , preventing users from obtaining a valid IP address from the DHCP server. To prevent DHCP attacks you can use DHCP snooping & port security. DHCP snooping determines which switch ports can respond to DHCP requests. Untrusted ports can source requests only .(layer 3 switches)

To configure DHCP snooping on a cisco switch you can use these commands:
Sw1(config)#ip dhcp snooping
Sw1(config)#ip dhcp snooping vlan #

DEFINE trusted ports:
Sw1(config-if)#ip dhcp snooping trust

LIMIT the rate for DHCP requests
Sw1(config)#ip dhcp snooping limit #

CDP attacks
The Cisco Discovery Protocol (CDP) is a proprietary layer 2 network protocol developed by Cisco Systems which runs on most Cisco equipment and is used to share information about other directly connected Cisco equipment such as the operating system version and IP address. By default routers & switches have CDP enabled. CDP broadcasts alot of information to potential attackers listening on the wire. Also because CDP is unauthorized an attacker could craft bogus CDP packets. It is recommended that CDP be disabled except as needed.

TELNET ATTACKS
Telnet can be susceptible to brute force password attacks. Brute force starts with the attacker using a list of common passwords & a program designed to establish a telnet session. In the 2nd phase the program tries all character combinations trying to crack the password. Simplest defense is to change passwords often & always use strong passwords.
A more advanced solutions involve ACL’s to allow more security flexibility.

DoS Attacks allow a flaw in the telnet server software to render telnet unavailable.


Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • bodytext
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Live
  • Reddit
  • StumbleUpon
  • Technorati

Next Post


Comments:

(0) comments | Add your comments