By Ali Alamri
Before talking about port security we need to mention the operation process of layer 2 devices as known as “switches.” Switches operate by building tables, called context-addressable memory (CAM) tables, which the switch uses t map MAC address to their corresponding port. Depending on the version and capability of the switch, these tables can only maps a limited number of entries involving both (mac address, switch port number). One attack called CAM overflow takes advantage of this limitation to overflow the CAM table and disable the switching logic of the switch.
This attack occurs when an attacker connects to a port (or multiple ports) on a switch and then crafts requests from thousands of fake random mac addresses. This makes the switch think that these are real mac address connections, with their corresponding ports, and use these to fill up the CAM table. This CAM table overflow attack turns the switch into a hub, meaning it enables the attacker to see the traffic going in/out of the switch. This could lead to a man-in-the-middle-attack. The idea of securing the port and limiting number of devices/entries helps to eliminate the attack as we will discover in the following section.
- After booting up our Kali box and inspecting the CAM Table on oour switch, we can see that the switch’s CAM table is configured t learn dynamically:
- Also if we look up the count for the CAM table we will see only 4 devices as expected
- After that, I opened up our Kali machine and used the “macof” tool, which basically sends out requests from a number of random fake mac address that will be registered in the switch’s CAM table. I ran the command ‘macof –i eth0` the flag
-i eth0'to specify the interface that the tool will send traffic through.
- Now, if we take a look at the MAC address table, we will see the CAM table has been overflowed from the ‘macof’ tool we started.
- Moreover, if we take a look at the count we will see that no more space available.
One of the most popular mitigations against CAM overflows on Cisco routers is port-security. Port-security has three modes which we will talk about the following sections.
- Restrict mode has the ability to make the port stay open when an attack occurs, However, it will drop any packets that violate the mac address rules set on the switch.
- For example, as the screenshot below depicts, we have only allowed 3 mac address to be learned dynamically. When a fourth mac address wants to be registered on that port. The switch will raise a violation flag and drop the packet.
- An example of the switch output when I ran the attack again is shown in screenshot above.
- Now if we want to take a look at that interface to see how many mac addresses have violated our rule. We can see that there have been 26380 violations on that port.
Protect mode also allows a port to stay up during an attack similar to what we saw in restrict mode. In protect mode it drops any packets violating the rule, however, unlike restrict mode it drops the packets but it does not report back the violation to the switch monitoring the session as we saw in the restrict mode.
- When we ran the macof tool again against the switch, and then looked at the port, we saw that there were 185823 violations on that port but no warnings of the violations were generated.
Lastly, shutdown mode works as follows, when a violation occurs a notification “SNMP” message will be sent and the port will immediately shutdown.
- For example, we configured our switch to accept a maximum of three mac address, and when this rule is violated, it will shut down the port.
- As the screenshot below shows, we after running the tool again on the same port we can see the port is shut down because we violated the rule of a maximum of three MAC address.
Generally, when talking about VLAN hopping there are two type of attacks, one is called Double Tagging attack which we will be talking about here and the other is spoofing attack. Double Tagging attacks take advantage of a native VLAN trunking configuration in which frames are allowed to be transmitted through VLANs via the trunking port. The attack manipulates the 802.1Q header by adding an extra header which will get stripped off when leaving the switch and forwarded to the trunk port that’s on native VLAN 1. Subsequently, the other switch will forward the packet to the corresponding host on that VLAN. It’s worth noting that the destination of the packet will be based off of the second tag, since the switch only looks at the first VLAN tag it sees.
As shown in my topology I setup the first Switch to be on VLAN 1
This can be done on the configuration terminal: int valn 1
then when we enter the interface we assign it to the address: 10.10.10.1
In this case, the attacker is on port fa1/0, the trunk port is on fa1/1.
- Moreover, on switch 2, we gave VLAN 2 an IP address of 10.10.11.1 and VLAN 1 an IP address on the same network as Switch 1
- Now, if we take a look at port fa1/0 it will have the victim connected to it, and when we look at the other port, fa1/1, it will have the trunk port on it.
- The attacker now has an address of 10.10.10.3 on the first network.
- On the other hand the victim is on VLAN 10 and has an ip address of 10.10.1
- Now, we go to the terminal and run the Yersinia tool.
- In order to perform the double tagging attack we click on the 802.1Q header to perform the attack.
- When we perform the attack we can see the capture on the attackers machine of an ICMP packet going through the VLAN and reaching the other network.
- Looking closely at the packet we can see the VLAN double tags, the first one on VLAN 1 and the other on VLAN 10, it is worth noting that this is only shown from the attackers box.
- If we take a close look at the ICMP packet on the victims machine, we will see the ICMP request being received and no sign of any 802Q.1 header.
- There are several common best practices that network and system administration use to defend against this attack, including:
- Disabling dynamic port on non-usable ports on the switch
- Ensuring that swithcports are set to no negotiate which by default disables DTP.
- Not using VLAN 1 for inbound management traffic, and picking any other VLAN dedicated to that purpose. In other words, prune VLAN 1 from all the trunks and from all the access ports that don’t require it
DHCP short for Dynamic Host Configuration Protocol) is one of the most important service to have is a network. This protocol serves the advantage of providing clients information such as IP address, subnet mask, DNS server, default gateway dynamically rather than configuring each host statically. This server start a process called (DORA) short for Discover, Offer, Request, Acknowledge. The process starts with the server listing on port 67 for discover requests on the network sent by clients. When a client sends out a discover packet across the network the server sees it and respond back with an offer providing the “offered” IP address over to the clients who is listening on port 68. The client then requests that IP address from the server and the server confirms that request by sending an ACK packet back.
DHCP Starvation is an attack wherein the attacker looks at the entire DHCP scope and tries to acquire all the available address in that scope. This attack is considered a Denial of Service attack, as other clients will not be able too receive IP addresses anymore. Over time, the adversary continues to use new MAC addresses to send renewals for all the DHCP leases.
In order to perform this kind of attack we can use a tool called “yersinia.” This tool is powerful as it provides plenty of low level networking attacks. By opening up the tool using this command “yersinia -G” and click on DHCP attack as show below, we can undertake the attack. Moreover, we can see the Wireshark traffic Which shows a heavy amount of Discover packets.
Now if take a look at the switch configuration by typing the command “show ip dhcp binding” we can see the all the addresses in scope have been acquired by fake/forged MAC addresses generated by Yersinia
A DHCP rogue server attack occurs when an attacker acts as a legitimate DHCP server in which he gives out DHCP information., including: IP addresses, gateways, and DNS. To performt his attack the “ettercap” tool can be used. To start this tool use the command “ettercap -G” and click on DHCP attack. Moreover, we can see Wireshark traffic which show heavy amount of Discover packets.
It’s worth noting that the address of our spoofed DHCP server is 10.150.100.12.
Moving on to how to prevent this attack, we can say that Cisco already has a security feature that is capable of identifying trusted and untrusted host. This feature is called DHCP snooping which has the ability to validate messages from untrusted host and drop them. In addition, it can evaluate DHCP traffic from trusted and untrusted host. This feature requires an offer binding database which has information about trusted and untrusted hosts. In our example, we can see that the port FE0/5 is trusted which means the DHCP server resides on that server.
Now if we look at the Wireshark capture when the attacker tries to send an OFFER packet back to the victim. We will see the packet gets ignored by the victim and only respond back to the legitimate DHCP server
So, only the packet that is formed by the legitimate DHCP server on the trust port is the only packets that gets advertise to the DHCP client and start the DORA process.
ARP is one of the most important networking protocol that other protocols rely on as it maps a mac address to an associated IP address. The attack we will be talking about is called ARP spoofing and is a type of Man-in-the-middle-attack in which the attacker tries to respond to ARP request with a forged packet.
Using the arpspoof tool, which is available in Kali Linux, I spoofed one of the clients MAC address.
This will enable the attacker to inspect all traffic destined for 10.150.100.5 by redirecting to the Kali IP address then forward it back to the victim. As we can see in Wireshark capture.
When we want to avoid invalid and malicious ARP packets, we can use Dynamic ARP Inspection (DAI). This feature work similarly to DHCP snooping, in that if a client sends a message that is recognized as malicious it will drop these illegitimate packets.
We start the switch configuration by applying DAI on the switch in
It’s worth notating that I applying the ACL “static ARP” which contains the IP and mac addresses for my clients. Additionally, if I rerun the attack again we won’t see the packets on the victim’s machine as the packets gets dropped when it reaches the switch and does not get forwarded. Additionally, the switch raises a lot of warnings to notify the network administrator as shown below.
IP Source Guard (IPSG) is a defense mechanism that is designed to prevent IP spoofing attacks. For instance, when someone wants to spoof the address of another host, this feature will prevent this spoofing because this IP address is not assigned by DHCP. IPSG works by relying on DHCP snooping and IP source bindings to match the IP address on untrusted Layer 2 networks.
IP spoofing is an attack performed to achieve one of two goals: a DOS (Denial of Services) or unauthorized access to a network. We perform this attack by using Scapy. As shown below we build an IP header with a spoofed IP address and the destination of our target IP address.
Also it worth noting that in my topology the actual IP address of our Kali is 10.150.100.12, the reason this is working is there is no validation that maps the IP address to the mac address of the host that is sending the spoofed IP as we will see, this is how the mitigation works. Now if we look at Wireshark capture below, we see that the ICMP packet was sent to the target and the replay came back to the spoofed IP address.
This mitigation relies on the DHCP database so we need to make sure we enable that as we discussed in previous mitigations. After this we include the IP source guard configuration to the switch as show below
Now if we try to spoof an IP from scapy on Kali, the victim should not successfully respond back to that packet. If we take a look at the DHCP snooping database it show that the Kali mac address is associated with that IP address, and if tried to send a packet with different IP address other than that IP it should just get dropped.
Port Security. (n.d.). Retrieved February 08, 2018, from
Mitigate VLAN hopping attack – Get rid of Layer 2 attacks. (2013, September 26).
Retrieved February 08, 2018, from
VLAN Hopping. (2017, May 08). Retrieved February 08, 2018, from
M. Gusev, S. Ristov and A. Donevski, “Integrating practical CISCO CCNP courses in the
Computer Networks’ curriculum,” 2014 IEEE Global Engineering Education Conference (EDUCON), Istanbul, 2014, pp. 499-506. doi: 10.1109/EDUCON.2014.6826138
Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25)EW –
Configuring Port Security [Cisco Catalyst 4500 Series Switches]. (2013, October 15). Retrieved February 08, 2018, from https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html#wp1047696
Bhaiji, Yusuf. “IP Source Guard > Security Features On Switches”. Ciscopress.Com, 2019,
Support, Product et al. “Catalyst 6500 Release 12.2SX Software Configuration Guide – IP Source
Guard [Cisco Catalyst 6500 Series Switches]”. Cisco, 2019,
Support, Product et al. “Catalyst 6500 Release 12.2SX Software Configuration Guide – Dynamic
ARP Inspection [Cisco Catalyst 6500 Series Switches]”. Cisco, 2019,
Support, Product et al. “Catalyst 6500 Release 12.2SX Software Configuration Guide – DHCP
Snooping [Cisco Catalyst 6500 Series Switches]”. Cisco, 2019,
“What Is Dynamic ARP Inspection (DAI) And How Does It Work With My Managed Switch? |
Answer | NETGEAR Support”. Kb.Netgear.Com, 2019, https://kb.netgear.com/21808/What-is