DOC PREVIEW
DePaul TDC 363 - local-attacks

This preview shows page 1-2-3-4-5-6 out of 17 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 17 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17FIRST TC 2002 John Kristoff - DePaul University 1Local Network AttacksJohn [email protected]+1 312 362-5878DePaul UniversityChicago, IL 60604FIRST TC 2002 John Kristoff - DePaul University 1Agenda•Overview•Theoretical and example attacks•How to resist (if possible) local network attacks•References•ToolsFIRST TC 2002 John Kristoff - DePaul University 1Overview•Local network attacks target an internal network•Some attacks can be launched remotely•Most do not monitor or guard against local attacks•Ultimately everything is a physical security problemFIRST TC 2002 John Kristoff - DePaul University 1Theoretical and Example Attacks•ARP•LAN Bridge/Switch•Routing•DHCP•Multicast•OtherFIRST TC 2002 John Kristoff - DePaul University 1ARP-based Attacks•ARP request spoofing•Responders to a request cache the sender's info•As do others who already have the sender's info•ARP update spoofing (gratutious ARP)•Thinking out loud:•Is UNARP widely used? Can we attack with it?•Can we poison ARP entries to = group address?FIRST TC 2002 John Kristoff - DePaul University 1Preventing ARP-based Attacks•Use LAN switches with one port per end host•Enable port security to limit source MAC addresses•Use 802.1x port authentication•Enable (get) knobs on end hosts to validate ARPs•How to best do this?•Monitor LAN bridge/switch address tables•Monitor router ARP tables•Keep history of address/ARP tables•FYI... vendors must support knobs (at line rate)FIRST TC 2002 John Kristoff - DePaul University 1LAN Bridge/Switch Attacks•Overflow MAC address tables to cause flooding•Typical gear can hold a few thousand addresses•MAC addresses = 48 bits or >> a few thousand•Spoof spanning tree BPDU messages•Take over as root/designated bridge•Cause continuous topology recomputations•Forge VLAN, priority or aggregation tags•Spoof PAUSE (flow control) frames (gig only)FIRST TC 2002 John Kristoff - DePaul University 1Preventing LAN Bridge Attacks•Monitor MAC address tables•Manually set root bridge and monitor•Use knobs like Cisco's BPDU and Root Guard•Manually set and prune trunked switch ports•Use 802.1x port authenticationFIRST TC 2002 John Kristoff - DePaul University 1Routing Attacks•Route injection•Route monitoring•Route redirection•Route process DDoS attack•Note, other types of local attacks may target routersFIRST TC 2002 John Kristoff - DePaul University 1Preventing Routing Attacks•Strongly authenticate all routing updates/packets•Listen/send routing packets where there are routers•Protect processes and access (ports, IPs, physical)•Monitor routing•Table size (especially changes over time)•Checksum values and LSA counts in OSPF•Flaps, deaggreation, traffic patterns•Build baseline network map (ala Ches's netmapper)FIRST TC 2002 John Kristoff - DePaul University 1DHCP Attacks•Spoof DHCP requests•Spoof DHCP replies (or be a rogue DHCP server)•Thinking out loud:•Can we spoof DHCP releases?FIRST TC 2002 John Kristoff - DePaul University 1Preventing DHCP Attacks•Monitor DHCP discover/lease activity•Monitor DHCP discovers, requests and offers•Clients broadcast request, contains server IP•Can monitor DHCP packets and contents at:•DHCP servers•Router edges•Use intra-VLAN knobs (e.g. Cisco's intra-VACL)FIRST TC 2002 John Kristoff - DePaul University 1Multicast Attacks•Spoof IGMP queries and take over as Querier•Spoof IGMP reports (joins)•There are 224.0.0.0/4 IP multicast groups•Spoof or simply generate group traffic•Thinking out load:•Can a default querier(s) be configured on hosts?•Ala DHCP option or just set to default gw•How to better authenticate group participation?•Will we see intentional multicast based attacks?FIRST TC 2002 John Kristoff - DePaul University 1Preventing Multicast Attacks•Monitor IGMP querier on router edges•Monitor IP multicast group usage on edges•Monitor IP multicate routing state changes•Heavily filter IP multicast group state, allow just:•224.0.0.0/8•225.0.0.0/8•239.192.0.0/14 (internal only if used)•233.xx.yy.0/8 (GLOP space)•Then filter out bogus groups in above rangesFIRST TC 2002 John Kristoff - DePaul University 1Other Attacks•HSRP/VRRP - use MD5 auth and/or IPSEC•Wireless - better authentication needed!•See my first-teams post about finding APs•ICMP redirect, SQ, router adv. - easily fixed•Time sync - who is getting time from who?•IPv6 - potential problems with discovery/autoconf?FIRST TC 2002 John Kristoff - DePaul University 1References•Layer 2 Attacks and Their Mitigation, Cisco Networkers 2002 presentation or Hacking Layer 2: Fun with Ethernet Switches, Blackhat 2002•Directed IGMP Report vulnerability: http://www.cs.ucsb.edu/~krishna/igmp_dos/•Making Multicast Hard (How to ward off DOS & other threats), Marshall Eubanks, IETF 51•Gigabit Ethernet and The Switch Book, both by Rich SeifertFIRST TC 2002 John Kristoff - DePaul University 1Tools•http://www.monkey.org/~dugsong/dsniff/•Cammer from Tobias Oetiker (MRTG/RRDTool)•At http://cosi-nms.sourceforge.net:•ARPTrack•cislog•RouteCheck•I hope to do more (particularly multicast related)•We also have an unreleased AP MAC/IP


View Full Document

DePaul TDC 363 - local-attacks

Documents in this Course
Load more
Download local-attacks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view local-attacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view local-attacks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?