VLAN Hopping attack :
In simple words, VLAN Hopping attack, invloves an attacker using a double-encapsulated 802.1Q frames to manipulate the switch operation. As the double-tagged frame enters the switch, switch performs only one level of decapsulation. For better understanding, we use an example:
The attacker sends a double-tagged 802.1Q frames to switch. The outer header has the VLAN of the attacker, which is the same as the native VLAN of the trunk port.(For the purpose of this example, assume VLAN 5). The inner tag is the victim VLAN, VLAN 10.
The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 5 and sends it out on all VLAN 5 ports(including the trunk), because there is no CAM table entry. At this point the second tag is still intact and has not been inspected by the first switch.
The frame arrives at the second switch but has no knowledge that is was supposed to be for VLAN 5 (native vlan is not tagged by the sending switch as specified in the 802.1Q specification)
The second switch looks at only the 802.1Q tag(the former inner tag that the attacker sent) and sees that the frame is destined for VLAN 10 (the victim VLAN). The second switch sends the packet on to the victim port or floods it, depending on whether there is an existing CAM table entry for the victim host.
HOW TO MITIGATE :
1) if no trunking is required on an interface, disable trunking :
Switch(config-if)# switchport mode access
2) If trunking is necessary, enable it but prevent DTP frames from being generated:
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
3) if the trunking is required, set the native VLAN on the trunk to an unused VLAN.
Switch(config-if)#switchport trunk native vlan
NOTE : There is no way to execute these kind of attacks unless the switch is misconfigured.
Smurf Attack :
Smurf attack consists of large numbers of ICMP packets sent to a router subnet broadcast address using a spoofed source IP address from the same subnet. You need to use a ACL which blocks all IP packets originating from any host destined for the subnet broadcast addresses. [The router here has a subnet: 16.2.1.0/24]
============================
Router(config)# access-list 110 deny ip any host 16.2.1.255 log
Router(config)# access-list 110 deny ip any host 16.2.1.0 log
Router(config)# access-list 110 permit ip any any
Router(config)# interface e0/0
Router(config)# ip access-group 110 in
Router(config) end
==============================
NOTE : In Cisco IOS Release 12.0 or later, there is a command “no ip directed-broadcast” which is enabled by default and prevents this type of attack. Then you may not need to learn and apply this ACL!!
Mitigating DoS attack by ACL
Considering you know about DoS attacks and their behavior, we take a look at ACLs that can mitigate this kind of attack. The interesting! point about DoS attacks is they can be prevented but can’t be stopped if they have begun. Here we talk about some known tools and the way we can counteract them. These tools include : Trin00, Stacheldraht, Trinity v3, Subseven. Below you can see the tools and their respective ports:
Trin00: TCP/1524- TCP/27665- UDP/27444- UDP/31335
Stacheldraht : TCP/16660- TCP/65000- ICMP/echo- ICMP/echo-reply
Trinity V3: TCP/33270- TCP/6667
Subseven : TCP/2222- TCP/6669- TCP/range 6711 6712- TCP/6776- TCP/7000
We choose “Trinity V3″. The router here has two interfaces, e0/0, e0/1
=============================
Router(config)# access-list 180 deny tcp any any eq 33270 log
Router(config)# access-list 180 deny tcp any any eq 6667 log
Router(config)# access-list 180 permit ip any any
Router(config)#interface e0/0
Router(config)# ip access-group 180 in
Router(config)# end
Router(config)# interface e0/1
Router(config)# ip access-group 180 in
Router(config)# end
=============================
NOTE : we bound the ACL to “in” direction.
In simple words, VLAN Hopping attack, invloves an attacker using a double-encapsulated 802.1Q frames to manipulate the switch operation. As the double-tagged frame enters the switch, switch performs only one level of decapsulation. For better understanding, we use an example:
The attacker sends a double-tagged 802.1Q frames to switch. The outer header has the VLAN of the attacker, which is the same as the native VLAN of the trunk port.(For the purpose of this example, assume VLAN 5). The inner tag is the victim VLAN, VLAN 10.
The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 5 and sends it out on all VLAN 5 ports(including the trunk), because there is no CAM table entry. At this point the second tag is still intact and has not been inspected by the first switch.
The frame arrives at the second switch but has no knowledge that is was supposed to be for VLAN 5 (native vlan is not tagged by the sending switch as specified in the 802.1Q specification)
The second switch looks at only the 802.1Q tag(the former inner tag that the attacker sent) and sees that the frame is destined for VLAN 10 (the victim VLAN). The second switch sends the packet on to the victim port or floods it, depending on whether there is an existing CAM table entry for the victim host.
HOW TO MITIGATE :
1) if no trunking is required on an interface, disable trunking :
Switch(config-if)# switchport mode access
2) If trunking is necessary, enable it but prevent DTP frames from being generated:
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
3) if the trunking is required, set the native VLAN on the trunk to an unused VLAN.
Switch(config-if)#switchport trunk native vlan
NOTE : There is no way to execute these kind of attacks unless the switch is misconfigured.
Smurf Attack :
Smurf attack consists of large numbers of ICMP packets sent to a router subnet broadcast address using a spoofed source IP address from the same subnet. You need to use a ACL which blocks all IP packets originating from any host destined for the subnet broadcast addresses. [The router here has a subnet: 16.2.1.0/24]
============================
Router(config)# access-list 110 deny ip any host 16.2.1.255 log
Router(config)# access-list 110 deny ip any host 16.2.1.0 log
Router(config)# access-list 110 permit ip any any
Router(config)# interface e0/0
Router(config)# ip access-group 110 in
Router(config) end
==============================
NOTE : In Cisco IOS Release 12.0 or later, there is a command “no ip directed-broadcast” which is enabled by default and prevents this type of attack. Then you may not need to learn and apply this ACL!!
Mitigating DoS attack by ACL
Considering you know about DoS attacks and their behavior, we take a look at ACLs that can mitigate this kind of attack. The interesting! point about DoS attacks is they can be prevented but can’t be stopped if they have begun. Here we talk about some known tools and the way we can counteract them. These tools include : Trin00, Stacheldraht, Trinity v3, Subseven. Below you can see the tools and their respective ports:
Trin00: TCP/1524- TCP/27665- UDP/27444- UDP/31335
Stacheldraht : TCP/16660- TCP/65000- ICMP/echo- ICMP/echo-reply
Trinity V3: TCP/33270- TCP/6667
Subseven : TCP/2222- TCP/6669- TCP/range 6711 6712- TCP/6776- TCP/7000
We choose “Trinity V3″. The router here has two interfaces, e0/0, e0/1
=============================
Router(config)# access-list 180 deny tcp any any eq 33270 log
Router(config)# access-list 180 deny tcp any any eq 6667 log
Router(config)# access-list 180 permit ip any any
Router(config)#interface e0/0
Router(config)# ip access-group 180 in
Router(config)# end
Router(config)# interface e0/1
Router(config)# ip access-group 180 in
Router(config)# end
=============================
NOTE : we bound the ACL to “in” direction.
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন