Computer Systems & �Network Administration

Security

Outline

• L2 security
• MAC Flooding
• DHCP starvation、 Rogue DHCP Servers
• ARP Spoofing
• STP Spoofing
• L3 security
• IP Spoofing
• OWASP Top 10
• A10:2021-Server-Side Request Forgery

MAC Flooding

L2 Security

L2 switch

• An L2 switch maintains a MAC Table for ethernet frame exchange.
• The switch learns and stores the MAC addresses of all connected devices.

L2 switch - MAC Table learning

• Suppose that three PCs know each other's MAC addresses.
• When PC A sends out the first packet to PC C with the frame header:

​

​

​

​

, the switch learns that MAC address aa:aa:aa:aa:aa:aa is at port 1.

L2 switch - MAC Table learning (cont.)

• Since the MAC address cc:cc:cc:cc:cc:cc is not in the table, the switch broadcasts this frame to all other ports.
• Upon receipt of this frame, PC B drops the frame since the dst MAC is not PC B’s MAC address.

L2 switch - MAC Table learning (cont.)

​

• Since the dst MAC address matches PC C’s MAC address, PC C picks up the frame.
• When PC C replies a frame to PC A, the switch learns that MAC address cc:cc:cc:cc:cc:cc is at port 3.

L2 switch - MAC Table learning (cont.)

​

• Since the dst MAC address aa:aa:aa:aa:aa:aa is already in the MAC table, the switch forwards the frame to port 1 directly (no broadcast).

Hub

• Hub is an L1 device, which broadcasts all ethernet frames.
• Hub is sometimes called “dumb switch”because it is similar to an L2 Switch without MAC table.

​

https://zh.wikipedia.org/wiki/%E9%9B%86%E7%B7%9A%E5%99%A8#/media/File:4_port_netgear_ethernet_hub.jpg

• The L2 switch MAC Forwarding Table has a limit on storage space (usually thousands to tens of thousands of entries).
• If the MAC Table is jammed ( attacked), all subsequent frames may incur broadcast (like hub).

​

MAC Flooding

https://support.f5.com/csp/article/K6567

MAC Flooding (cont.)

• Suppose the storage limit of MAC Table is 4.
• The following four frames sent by PC B consume all storage space.

fake

MAC Flooding (cont.)

• Since the table is full, the switch can not learn extra MAC address, resulting in a default broadcast policy.
• In this case, the attacker may get frames that do not belong to him, e.g., frame with the following header:

​

not in the table, resulting in broadcast

table is full

MAC Flooding - How to defend

• Port MAC Entry Limit
• Port security
• Static Secure MAC
• Manually configured by SA/NA.
• Data still maintains after reboot.
• Dynamic Secure MAC
• Automatically learned
• With Aging timer and/or inactivity timer.
• Data lost at reboot.
• Sticky Secure MAC
• Manually configured or automatically learned.
• With Aging timer and/or inactivity timer.
• Data still maintains after reboot.

​

DHCP starvation、Rogue DHCP Servers

L2 Security

DHCP Procedure

https://www.twblogs.net/a/5b96ed672b717750bda7761f

DHCP starvation

• DHCP starvation is a denial of service (DoS) attack.
• To exhaust the IP pool in the DHCP server, the attacker repeatedly exercises the DHCP procedures by using many fake MAC addresses.

​

Rogue DHCP Servers

• Attacker pretends to be a real DHCP server by responding to a DHCP Offer message immediately after observing a DHCP Discover message.
• The attacker provides malicious DHCP lease information (default gateway, DNS server) to redirect traffic through the attacker.

malicious

DHCP starvation + Rogue DHCP Servers

• Rogue DHCP Server can increase the effectiveness of its attack by starting with DHCP starvation (leaving users with only attacker’s offer).

DHCP Pool

IP lack

DHCP starvation - how to defend

​

​

• Port Security
• limiting the number of

unique MAC addresses

allowed on each

switch ports

https://www.packetorbit.net/post/dhcp-hardening

Rogue DHCP Servers - how to defend

​

​

• DHCP Snooping
• Limiting the number of unique MAC addresses allowed on each switch port
• Allowing DHCP Offer message from only trusted port

​

​

https://www.packetorbit.net/post/dhcp-hardening

ARP Spoofing

L2 Security

ARP Request

• Only knowing dst IP address, a network node can send ARP request to ask for dst MAC address.

https://ipcisco.com/lesson/address-resolution-protocol-arp/

broadcast

ARP Reply

https://ipcisco.com/lesson/address-resolution-protocol-arp/

unicast

ARP cache（ARP Table）

• Each network node maintains a table of IP-to-MAC mapping to prevent sending ARP requests frequently.

linux

windows

ARP spoofing

• a.k.a. ARP cache poisoning, or ARP poison routing
• The attacker sends a crafted ARP response with poisoned MAC address to a network node to overwrite the ARP Table, so that subsequent IP packets are directed to the attacker (or other MAC address specified by the attacker).

​

ARP spoofing

• IF an attacker poisons an ARP entry to a nonexistent MAC address.

=> DoS

​

• IF the attacker poisons an ARP entry to the MAC address of the attacker.

=> MITM

​

• IF an attacker poisons many ARP entries to the MAC address of a victim.

=> DDoS

ARP spoofing - how to defend

• Static ARP table
• only effective for small network
• DAI (Dynamic ARP Inspection)
• DAI prevents these attacks by intercepting all ARP requests and responses.
• DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database.
• The trusted database is built at runtime by DHCP snooping or user-configured ARP ACLs.
• Invalid ARP packets are dropped.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

ARP spoofing - some possible good usage

• Use ARP spoofing to direct traffic to an alternate device in the event of a device failure.
• When you can not use some packet detection tools between two machines, you can use ARP spoofing to be the "middle man" to check traffic.

STP Spoofing

L2 Security

broadcast storm

• A broadcast storm is the accumulation of broadcast and multicast traffic on a computer network
• Most commonly the cause is a switching loop in the Ethernet network topology.

broadcast storm

send a arp request

broadcast storm

broadcast storm

broadcast storm

broadcast storm

broadcast storm

STP

• A broadcast storm solution.
• Spanning tree protocol A.K.A STP
• https://www.jannet.hk/spanning-tree-protocol-stp-zh-hant/

• Root bridge：A switch that won the STP root switch election.

​

• BPDU（Bridge Protocol Data Unit）： A frame that is used to transmit STP information between switches only can send by the root bridge.

STP

• change network topologic.
• packet leak.
• man in the middle(MITM)

STP attack will cause?

• Topology Change Notification（TCN）： When a non-root switch detects a topology change it will generate a topology change notification and send it on its root port towards the root bridge.

​

• After the root switch receives TCN, it will tell every switch on the internet to reduce MAC Address table aging time from 300s to 15s, to let all switch clear old records.

STP - TCN Attack

• The attacker can keep sending TCN fastly, let the MAC table of the switch on the internet empty and any traffic will become broadcast like MAC flooding.

STP - TCN Attack

• Send BPDU which contains the lower priority than now root switch.

STP - Root role hijack

• TCN control
• role indecisive - Keep changing the root switch result in network unstable.
• MITM

STP - Root role hijack

• When the switch receives BPUD it will recalculate the spanning tree, if we keep sending BPUD fastly, that will cause a lot of resource consumption.

STP - BPDU DoS

STP - How to defend

• BPDU guard & BPDU filter
• Prohibit BPDU for terminal device connection holes on switches
• https://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=5
• https://www.twblogs.net/a/5b96c3ac2b717750bda5db90

L2 security tools

• yersinia
• https://www.kali.org/tools/yersinia/

​

IP Spoofing

L3 Security

• > IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

IP Spoofing

https://www.cloudflare.com/zh-tw/learning/ddos/glossary/ip-spoofing/

• > DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while masking the identity of the malicious source, preventing mitigation efforts

IP Spoofing（cont.）

Specialized IP Spoofing Packet

• Send this packet on any IP

Specialized IP Spoofing Packet

On 103.172.124.2

• Suppose we have services that will respond to your incoming packet five times.
• We have ready-made services like DNS NTP.
• The source IP is spoofed and set to the victim's IP address.

Amplification Attacks

Amplification Attacks

Amplification Attacks

data centers in Cloudflare’s global network and the relative amount of memcached attack traffic they received during a recent attack

Specialized DNS packet

Specialized IP Spoofing Packet

On 103.172.124.2

• Routing process does not care source IP => IP Spoofing
• RPF (Reverse Path Forwarding) Filter
• check source IP is legal.
• http://www.h3c.com/cn/d_201209/753898_97665_0.htm
• https://www.cisco.com/c/dam/en_us/about/security/intelligence/urpf.pdf
• > Solving IP spoofing is hard and must be done in the last mile (as close to the source of the traffic as possible). The internet community understood that years ago and wrote down the famous BCP38:
• https://www.rfc-editor.org/info/bcp38

IP Spoofing - how to defend

OWASP Top 10

What is OWASP Top 10

• Open Web Application Security Project
• Top 10 OWASP Web Application System

Security Weaknesses

What is OWASP Top 10

A10:2021-Server-Side Request Forgery

OWASP Top 10

What is Server-Side Request Forgery

• A.K.A. SSRF
• Allows users to send requests from the server to any target so attackers can access resources on the intranet without restrictions

What is Server-Side Request Forgery

What is Server-Side Request Forgery

What is Server-Side Request Forgery

What is Server-Side Request Forgery

What is Server-Side Request Forgery

What is Server-Side Request Forgery

What is Server-Side Request Forgery

playplay but dont break.

​

Please find out secret services.

http://ssrf.vincent55.nasa/

Use testVPN (change AllowedIPs to 10.100.0.0/16, 10.31.31.0/24)