Switch Security – DHCP Starvation and Flooding CAM Tables (Fail Open) Part 1

This item was filled under [ Cisco ]
Line Break

Author: Darryl Akeung (34 Articles)

Many people tend to forget about the lower layers of security and tend to just focus on layer 3 and above. In this series, we will explore various layer 2 attacks and mitigation forms.

In this part we will explore:

  1. MAC FLOODING
  2. DHCP STARVATION

And also ways we can secure our network from such attacks.

Tools:

yersinia

macof

MAC FLOODING 

This entails forcing a switch into fail open state by filling the switch’s CAM table until it cannot handle any more mac addresses. After which the switch floods every frame out every port as a hub would.

From the diagram below. The switch provides certain security from eavesdropping by sending from the source direct to the destination. Unlike a hub which has ports repeating the data over each port.


Phase 1 nothing

 

Let us gather some information with the current switch network:

Switch#sh sdm prefer
The current template is “desktop default” template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K

Switch#show mac address-table count vlan 10

Mac Entries for Vlan 10:

—————————
Dynamic Address Count : 12
Static Address Count : 0
Total Mac Addresses : 12

 

Step 1:

Lets flood the switch CAM table. We will use macof to accomplish this with random mac addresses.

MacBook-Pro:~ daakeung$ macof -i eth0

<SNIPPET>

65:f4:34:74:b4:89 19:42:42:7e:8c:54 0.0.0.0.32025 > 0.0.0.0.24535: S 2025644457:2025644457(0) win 512
74:e9:d4:3f:90:4d 4e:7c:2d:30:87:ff 0.0.0.0.19997 > 0.0.0.0.27478: S 2069417489:2069417489(0) win 512
69:5c:64:7a:10:51 4e:78:a6:3f:92:d1 0.0.0.0.60291 > 0.0.0.0.15959: S 1428067860:1428067860(0) win 512
78:d0:35:29:cc:d3 ad:e3:50:40:9:3a 0.0.0.0.60250 > 0.0.0.0.9586: S 548552536:548552536(0) win 512
25:21:db:56:53:89 40:c5:11:4e:7b:a4 0.0.0.0.61328 > 0.0.0.0.22265: S 674146990:674146990(0) win 512
1e:4e:ef:50:aa:29 7b:84:90:5:2:d7 0.0.0.0.22799 > 0.0.0.0.26305: S 421289885:421289885(0) win 512
f1:1:1a:7f:67:72 64:28:aa:6f:a:25 0.0.0.0.9533 > 0.0.0.0.6091: S 1958834455:1958834455(0) win 512
70:7e:1c:5f:d8:dd 39:4d:62:41:df:70 0.0.0.0.55397 > 0.0.0.0.29158: S 814202345:814202345(0) win 512
5a:a5:87:5:7f:d 1f:65:ce:6f:ee:34 0.0.0.0.61264 > 0.0.0.0.15761: S 772770014:772770014(0) win 512
38:78:9b:9:f8:b7 c4:7:ad:52:e2:19 0.0.0.0.55881 > 0.0.0.0.33343: S 1686911520:1686911520(0) win 512
ef:79:98:d:39:fc 0:69:fb:34:23:16 0.0.0.0.44442 > 0.0.0.0.50558: S 1980406828:1980406828(0) win 512
a3:d:1f:63:19:bd ec:4:9e:24:b0:c5 0.0.0.0.5596 > 0.0.0.0.24920: S 435138990:435138990(0) win 512
1e:bb:43:e:71:4d 44:bf:7e:45:d3:23 0.0.0.0.10932 > 0.0.0.0.16796: S 1590723893:1590723893(0) win 512

 

Switch#sh mac address-table count vlan 10

Mac Entries for Vlan 10:
—————————
Dynamic Address Count : 5794
Static Address Count : 4
Total Mac Addresses : 5798

Total Mac Address Space Available: 0

Switch#

 

Switch CAM table is now full. Now the switch will act as a hub instead.

This allows the hacker to sniff the packets from the ports and gather data between any node on the switch. Including passwords (encrypted or unencrypted), instant messages, e-mail etc.


Phase2 full open

 

 

DHCP STARVATION

Dhcp starvation is a method used to exhaust the ip address pool from the DHCP server. The idea has to do with performing a man in the middle attack.

Lets start off with a normal functioning network.

The user receives IP configuration from the DHCP server. Now lets exhaust all available ip addresses on the server using yersinia.

With the DHCP server without any available ip addresses to issue. We can fall into the following situation:

Step 1 : The hacker allocates all the available ip addresses from the server
Step 2 : Establishes his own rogue DHCP server with the gateway reflected his own ip address.
Step 3 : Client leases IP from the rogue DHCP server
Step 4 (not numbered): All traffic routed via the hacker. This allows interception of data unknowingly to the victim.

Protecting against DHCP Starvation and MAC Flood:
1. Port Security

Port security limits the number of mac addresses on the port. It can also limit by specific mac addresses as well.

How does this help ?

  1. DHCP Starvation by limiting the number of mac addresses used for DHCP.
  2. MAC Flood by imiting the number of mac address into the CAM table from the port.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swtrafc.html#wp1038501

Lets configure port security to restrict the number of mac address permitted on the port to 1.

interface FastEthernet0/6
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security maximum 1
switchport port-security
switchport port-security aging time 2
switchport port-security violation shutdown
switchport port-security aging type inactivity

Status of port security:

Switch#sh port-security int fa 0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 15 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 109a.dd6f.05ec:10
Security Violation Count : 0

Run macof again.

MacBook-Pro:~ daakeung$ macof -i eth0

Switch produces this log upon exceeding the preconfigured mac address limit.

Dec 20 15:44:08.763: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/6, putting Fa0/6 in err-disable state
Dec 20 15:44:08.797: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 34a5.6028.7ec7 on port FastEthernet0/6.
Dec 20 15:44:09.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down
Dec 20 15:44:10.802: %LINK-3-UPDOWN: Interface FastEthernet0/6, changed state to down

 

The switch puts the interface into error disable (shutdown) when the number of mac addresses exceed the preconfigured limit. Which stops the attack from happening.

Switch#sh port-security int fa 0/6
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 15 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 34a5.6028.7ec7:10
Security Violation Count : 1

Switch#

There are 3 modes of operation:

  1. restrict – drop frames and generate snmp trap/syslog
  2. protect – silently drop frames
  3. shutdown – error disables the port

From experience, the restrict command can cause the CPU on the switch to spike from excessive log generation.
Usage in restrict mode:

CPU utilization for five seconds: 99%/2%; one minute: 42%; five minutes: 27%

Dec 20 15:56:54.835: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 30b4.8b62.bb57 on port FastEthernet0/6.

That is all for now folks. In our next series we will discuss how to protect against rogue dhcp servers.

VN:F [1.9.20_1166]
Rating: +1 (from 1 vote)
Be Sociable, Share!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Tagged with: [ , ]
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Comments on “Switch Security – DHCP Starvation and Flooding CAM Tables (Fail Open) Part 1”

  • Thanks for some other informative site. Where else may just I am getting that type of information written in such a perfect approach? I have a project that I am simply now working on, and I have been at the glance out for such info.

    VA:F [1.9.20_1166]
    Rating: 1.0/5 (1 vote cast)
    VA:F [1.9.20_1166]
    Rating: -1 (from 1 vote)
  • 28 July, 2013, 13:30

    Yes! Finally something about ramadan 2013 calendar.

    VA:F [1.9.20_1166]
    Rating: 1.0/5 (1 vote cast)
    VA:F [1.9.20_1166]
    Rating: -1 (from 1 vote)
  • Hey! Someone in my Myspace group shared this site with us so I came to check it out.
    I’m definitely loving the information. I’m bookmarking and will be tweeting this to my
    followers! Exceptional blog and superb design.

    VA:F [1.9.20_1166]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.20_1166]
    Rating: 0 (from 0 votes)

Leave a Comment