DePaul TDC 363 - local-attacks (17 pages)

Previewing pages 1, 2, 3, 4, 5, 6 of 17 page document View the full content.
View Full Document

local-attacks



Previewing pages 1, 2, 3, 4, 5, 6 of actual document.

View the full content.
View Full Document
View Full Document

local-attacks

96 views


Pages:
17
School:
DePaul University
Course:
Tdc 363 - Introduction to Local Area Networks
Introduction to Local Area Networks Documents
Unformatted text preview:

Local Network Attacks John Kristoff jtk depaul edu 1 312 362 5878 DePaul University Chicago IL 60604 FIRST TC 2002 John Kristoff DePaul University 1 Agenda Overview Theoretical and example attacks How to resist if possible local network attacks References Tools FIRST TC 2002 John Kristoff DePaul University 1 Overview Local network attacks target an internal network Some attacks can be launched remotely Most do not monitor or guard against local attacks Ultimately everything is a physical security problem FIRST TC 2002 John Kristoff DePaul University 1 Theoretical and Example Attacks ARP LAN Bridge Switch Routing DHCP Multicast Other FIRST TC 2002 John Kristoff DePaul University 1 ARP based Attacks ARP request spoofing Responders to a request cache the sender s info As do others who already have the sender s info ARP update spoofing gratutious ARP Thinking out loud Is UNARP widely used Can we attack with it Can we poison ARP entries to group address FIRST TC 2002 John Kristoff DePaul University 1 Preventing ARP based Attacks Use LAN switches with one port per end host Enable port security to limit source MAC addresses Use 802 1x port authentication Enable get knobs on end hosts to validate ARPs How to best do this Monitor LAN bridge switch address tables Monitor router ARP tables Keep history of address ARP tables FYI vendors must support knobs at line rate FIRST TC 2002 John Kristoff DePaul University 1 LAN Bridge Switch Attacks Overflow MAC address tables to cause flooding Typical gear can hold a few thousand addresses MAC addresses 48 bits or a few thousand Spoof spanning tree BPDU messages Take over as root designated bridge Cause continuous topology recomputations Forge VLAN priority or aggregation tags Spoof PAUSE flow control frames gig only FIRST TC 2002 John Kristoff DePaul University 1 Preventing LAN Bridge Attacks Monitor MAC address tables Manually set root bridge and monitor Use knobs like Cisco s BPDU and Root Guard Manually set and prune trunked switch ports Use 802 1x port authentication FIRST TC 2002 John Kristoff DePaul University 1 Routing Attacks Route injection Route monitoring Route redirection Route process DDoS attack Note other types of local attacks may target routers FIRST TC 2002 John Kristoff DePaul University 1 Preventing Routing Attacks Strongly authenticate all routing updates packets Listen send routing packets where there are routers Protect processes and access ports IPs physical Monitor routing Table size especially changes over time Checksum values and LSA counts in OSPF Flaps deaggreation traffic patterns Build baseline network map ala Ches s netmapper FIRST TC 2002 John Kristoff DePaul University 1 DHCP Attacks Spoof DHCP requests Spoof DHCP replies or be a rogue DHCP server Thinking out loud Can we spoof DHCP releases FIRST TC 2002 John Kristoff DePaul University 1 Preventing DHCP Attacks Monitor DHCP discover lease activity Monitor DHCP discovers requests and offers Clients broadcast request contains server IP Can monitor DHCP packets and contents at DHCP servers Router edges Use intra VLAN knobs e g Cisco s intra VACL FIRST TC 2002 John Kristoff DePaul University 1 Multicast Attacks Spoof IGMP queries and take over as Querier Spoof IGMP reports joins There are 224 0 0 0 4 IP multicast groups Spoof or simply generate group traffic Thinking out load Can a default querier s be configured on hosts Ala DHCP option or just set to default gw How to better authenticate group participation Will we see intentional multicast based attacks FIRST TC 2002 John Kristoff DePaul University 1 Preventing Multicast Attacks Monitor IGMP querier on router edges Monitor IP multicast group usage on edges Monitor IP multicate routing state changes Heavily filter IP multicast group state allow just 224 0 0 0 8 225 0 0 0 8 239 192 0 0 14 internal only if used 233 xx yy 0 8 GLOP space Then filter out bogus groups in above ranges FIRST TC 2002 John Kristoff DePaul University 1 Other Attacks HSRP VRRP use MD5 auth and or IPSEC Wireless better authentication needed See my first teams post about finding APs ICMP redirect SQ router adv easily fixed Time sync who is getting time from who IPv6 potential problems with discovery autoconf FIRST TC 2002 John Kristoff DePaul University 1 References Layer 2 Attacks and Their Mitigation Cisco Networkers 2002 presentation or Hacking Layer 2 Fun with Ethernet Switches Blackhat 2002 Directed IGMP Report vulnerability http www cs ucsb edu krishna igmp dos Making Multicast Hard How to ward off DOS other threats Marshall Eubanks IETF 51 Gigabit Ethernet and The Switch Book both by Rich Seifert FIRST TC 2002 John Kristoff DePaul University 1 Tools http www monkey org dugsong dsniff Cammer from Tobias Oetiker MRTG RRDTool At http cosi nms sourceforge net ARPTrack cislog RouteCheck I hope to do more particularly multicast related We also have an unreleased AP MAC IP tracker FIRST TC 2002 John Kristoff DePaul University 1


View Full Document

Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view local-attacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view local-attacks and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?