People usually refers to the implementation of a number of hacker tools used for scanning and sniffing the network, access to management accounts and associated passwords, the network placed on the horse, thus further theft of confidential documents. The process of attack and deceit are often covert and quiet, but high requirements for enterprise information security hazard is great. The Trojan horse or virus and worms from the attacks and often deviate from the attack and deceive their own purposes, the phenomenon is sometimes very directly, and will bring increased traffic, equipment, CPU utilization is too high, two-story spanning tree loop until the network paralysis .
At present such attacks and cheating tools are very mature and easy to use, and the present company to prevent the deployment of this there are still many deficiencies, there are a lot of work to do. Cisco against such attacks have been more mature solution, mainly based on the following key technologies:? Port Security feature? DHCP Snooping? Dynamic ARP Inspection (DAI)? IP Source Guard
The following is a typical part of the main view of the current two-story shows how attack and deception combination of Cisco switches use and deployment of this technology to prevent switching environment to achieve adoption of the "middleman" attacks, MAC / CAM attacks, DHCP attacks, address spoofing and more meaningful through the deployment of technology can simplify the above address management, direct track user IP and the corresponding switch port; to prevent IP address conflicts. For most of the second floor at the same time pose a great risk with the network address of scanning, cheating and other characteristics of the virus can be effective alarm and isolation.
1 MAC / CAM Attack
1.1MAC/CAM attack and harm principle
Switch active learning client MAC address, and establishment and maintenance of ports and MAC address mapping table in order to establish the exchange path, the table is usually referred to CAM table. CAM table size is fixed, the switch CAM tables of different sizes. MAC / CAM attacks is the use of tools to create deception MAC, fast fill CAM table, the switch CAM table is filled, the switch to handle broadcast packets through the switch, then the attacker can use a variety of access network sniffing attacks information. CAM table is full, the flow to flood sent to all interfaces, also on behalf of TRUNK interface traffic will be distributed to all interfaces and adjacent switch, the switch will cause the load is too large, the network is slow and packet loss or even paralysis.
1.2 A typical virus using MAC / CAM attack case
The network has become a very major threat according to the SQL worm on the use of multicast destination address, MAC constructed decoy to fill the switch CAM table. Characterized as shown below:
1.3 using the Port Security feature to prevent MAC / CAM attacks
Cisco's Port Security feature to prevent MAC and the MAC / CAM attacks. Can be controlled by configuring Port Security:
? Port's MAC address by the largest number of
? Port or through which MAC address learning
? For exceeding the prescribed number of MAC address for violation of deal
Port or through which MAC address learning can be defined by static hand, can also switch automatically to learn. Dynamic learning switch port MAC, MAC address until the specified number of re-learning after the switch off. Currently the technology is relatively new Sticky Port Security, the switch will learn the mac address of write port configuration, switch configuration remains after restart.
The excess of the quantity of the MAC address for processing are generally three ways (for the switch models will be different):
? Shutdown. Zhezhong way to protect the strongest, but for some cases may cause trouble for the administration, such as a piece of equipment in the virus, the virus intermittent source of counterfeit MAC in the network to send messages.
? Protect. Discard the illegal flow, do not alarm.
? Restrict. Discard the illegal traffic, the police, compared above the switch CPU utilization is up, but does not affect the normal use of the switch. Recommended this approach.
1.4 Configuration
port-security configuration options: Switch (config-if) # switchport port-security? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
Configure port-security maximum number mac, contrary to treatment, recovery methods Cat4507 (config) # int fastEthernet 3 / 48 Cat4507 (config-if) # switchport port-security Cat4507 (config-if) # switchport port-security maximum 2 Cat4507 ( config-if) # switchport port-security violation shutdown Cat4507 (config) # errdisable recovery cause psecure-violation Cat4507 (config) # errdisable recovery interval 30
By configuring sticky port-security learn the MAC interface FastEthernet3/29 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security mac-address sticky switchport port-security mac-address sticky 000b.db1d.6ccd switchport port -security mac-address sticky 000b.db1d.6cce switchport port-security mac-address sticky 000d.6078.2d95 switchport port-security mac-address sticky 000e.848e.ea01
1.5 Use other technologies to prevent MAC / CAM attacks
In addition to Port Security DAI technique can also be used to prevent MAC address spoofing.
2 DHCP Attack
2.1 The management of common problems with DHCP:
By DHCP server automatically for the user to set the network IP address, netmask, gateway, DNS, WINS and other network parameters, simplifying the user network settings, improved management efficiency. However, the use of DHCP management there are a number of other network managers more problems, commonly are:
? DHCP server to impersonate.
? DHCP server to Dos attack.
? Some users easily specify the address, causing the network address conflicts.
As the DHCP operation mechanism, usually the server and the client does not authentication mechanism, if there are multiple network DHCP server will be according to the network into chaos. As the user accidentally configured DHCP servers are very common confusion caused by the network, we can obviously see the simplicity of deliberate vandalism. Hackers usually are the first DHCP server can be a normal distribution of IP address exhaustion, and then impersonate the legitimate DHCP server. The most subtle and dangerous way to hackers using fake DHCP server, the user is assigned a modified DNS server, in the case of the user without notice is directed at the pre-configured false financial website or e-commerce site, a user account fraud and password, this attack is very bad.
The DHCP server can use the front of Dos attack to the Port Security and the technology behind that of the DAI, for some users to easily specify the address, causing the network address conflicts can also use the back referred to in DAI and IP Source Guard technology. This section focuses on methods and techniques DHCP infringement.
2.2DHCP Snooping Technology Survey
DHCP Snooping technology is the DHCP security features, through the establishment and maintenance of DHCP Snooping binding table can not be trusted DHCP filtering information that is of no confidence in the region from the DHCP information. DHCP Snooping binding table contains the users do not trust MAC address of the region, IP address, the lease period, VLAN-ID interface information, the following table: cat4507 # sh ip dhcp snooping binding MacAddress IpAddress Lease (sec) Type VLAN Interface - ---------------- --------------- ---------- ------- - - ----------------- 00:0 D: 60:2 D: 45:0 D 10.149.3.13 600735 dhcp-snooping 100 GigabitEthernet1/0/7
This table is not only the user's IP address of the DHCP and port tracking and positioning problems, convenient for the user management, but also supply the dynamic ARP inspection DA) and IP Source Guard to use.
2.3 Basic Prevention
First, the definition of trust on the switch ports and do not trust port, the port of DHCP, do not trust the capture and packet sniffer, DROP out from these ports of non-normal DHCP message, as shown below:
Basic configuration example the following table:
IOS global command: ip dhcp snooping vlan 100,200 / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware define which VLAN to enable DHCP snooping ip dhcp snooping interface to the command ip dhcp snooping trust no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps) / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware to some extent prevent the DHCP refuse service / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware manually add the DHCP binding service attack Table ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi1 / 1 expiry 1000 Export DHCP binding table to the TFTP server ip dhcp snooping database tftp: / / 10.1.1 .1/directory/file
Note that the DHCP binding table to the existence of local memory (Bootfalsh, slot0, ftp, tftp) or export to the specified TFTP server, or switches, DHCP binding table is lost after reboot, has applied to the IP address for the device the subscription period will not start another DHCP request, if the time switch has been configured mentioned below DAI and IP Source Guard technology, these users will not access the network.
Senior guard against 2.3
Through the switch port security settings for each port to use DHCP request specifies a unique MAC address, DHCP server, usually through DHCP request packet's CHADDR Judgement in Sections client-side MAC address, usually the address and client IP is really the same, but If the attacker does not modify the MAC client to modify DHCP packet CHADDR, the implementation of Dos attacks, Port Security will not work, DHCP sniffer technology to check the DHCP request packet's CHADDR field to determine whether the field and the DHCP sniffing Exploration match appearances. This function is the default configuration in some switches, some switches need to configure, the specific need to consult a switch configuration documentation.
3 ARP cheating / MITM (Man-In-The-Middle) attack prevention principles and
3.1 MITM (Man-In-The-Middle) Attacks
ARP protocol in accordance with the design of the network to reduce the excessive ARP data communications, a host, even if the received ARP response is not received your request, it will insert it into their own ARP cache table, so that the resulting the "ARP deception" as well. If a hacker trying to find the same network communication between two hosts (even if connected through a switch), respectively to the two he would send an ARP response packet the host, so that both hosts are "wrong" that the other side of the MAC address is third party where the host hackers, so that the two sides appear to "direct" communications link, in fact, is where the host by hackers conducted indirectly. Hackers on the one hand you want to get the content of communications, on the other hand, only need to change some of the information packet, you can successfully do the work forward. In this way sniffer, hackers do not need to set the host where the network card's promiscuous mode, since the two sides of communication packets are physically sent to the hacker transit where the host.
Here, for example, assuming the same LAN, there are three hosts connected through a switch: A Host: IP address is 192.168.0.1, MAC address is 01:01:01:01:01:01; B Host: IP address 192.168.0.2, MAC address 02:02:02:02:02:02; C Host: IP address is 192.168.0.3, MAC address 03:03:03:03:03:03.
B host of the A and C is a prelude to deception to send fake ARP response packet, as shown
B received the ARP response sent by the host after, A host should know:
Packet to 192.168.0.3 should be sent to the MAC address of host 020 202 020 202; C host has to know: to 192.168.0.1 the packet should be sent to the host MAC address 020 202 020 202. So, A and C are that the other side of the MAC address is 020 202 020 202, in fact, this is the result of B are required for the host. Of course, because ARP cache entry is updated dynamically, which has a dynamically generated map of life, typically two minutes, if no new information updates, ARP mapping entry will be automatically removed. Therefore, B has a "task", that is, has been continuously sent to the A and C of this false ARP response packet, let ARP cache has been poisoned to keep the mapping table entry.
Now, if A and C to communicate, in fact, sending each other data packets will arrive before the host B, then, do not do further processing if the B, A and C can not be normal communication between the establishment, B also is not up to to "sniff" the purpose of communication content, therefore, B should be on the "wrong" data packets received some changes, and then forwarded to the correct destination, and modify the content, is none other than the purpose and source MAC address of MAC be replaced. Thus, in the A and C appear, each packet is sent directly to each other, but in the B point of view, her role is a "third party" role. This sniffing method, also known as "Man-In-The-Middle" approach. As shown.
3.2 attack instances
The current use of tools developed by ARP principle is very simple to use, these tools can sniff and analyze FTP, POP3, SMB, SMTP, HTTP / HTTPS, SSH, MSN and so on more than 30 kinds of applications and transfer the contents of the password. The following are testing use of tools to capture the TELNET process, capture includes a TELNET password and all the contents of the transfer:
Just above application-specific data, an attacker can use an intermediary to monitor such data directly to the SNIFFER Sniffer, so you can monitor all user data to be deceived.
Some people also use ARP to develop principles of network management tools, ready to cut off the specified user's connection. These tools are easily spread to the hands of troublemakers the network becomes unstable, often difficult to troubleshoot these failures.
3.3 Prevention Methods
Cisco Dynamic ARP Inspection (DAI) in the switch to provide IP address and MAC address binding, and dynamically establish binding relations. DAI to DHCP Snooping binding table is based are not using DHCP server for the individual machines can be used to add static ARP access-list implementation. DAI configuration for the VLAN, the interface for the same VLAN can be opened within the DAI can also be closed. DAI can be controlled by a port number of ARP request packets. Through these techniques can prevent a "middleman" attacks.
3.3 Configuration Example
IOS global command: ip dhcp snooping vlan 100,200 no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 100,200 / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware define which VLAN to ARP packet inspection ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10
IOS Interface Command: ip dhcp snooping trust ip arp inspection trust / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware defined interface, which interface is a trust, usually the network device interface, TRUNK interface ip arp inspection limit rate 15 (pps) / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware ARP packets per second, the definition of the number of interfaces
For not using DHCP device can use the following methods: arp access-list static-arp permit ip host 10.66.227.5 mac host 0009.6b88.d387 ip arp inspection filter static-arp vlan 201
DAI results after 3.3 configuration:
? DAI technology in the configuration interface, the client can not use the specified address address will access the network.
? As DAI check DHCP snooping binding table in the IP and MAC correspondence, unable to implement middle attack, attack tool failure. The following table is a switch for the implementation of the middle attack warning: 3w0d:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1. ([000b.db1d.6ccd/192.168.1.200/0000.0000.0000 / 192.168.1.2
? Because of the ARP request packets do the speed limit, the client can not be considered or the IP virus scanning, detection and other acts, if such acts occur, immediately switch off alarm or direct scanning machine. The following table: 3w0d:% SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ****** Alarm 3w0d:% PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30 , putting Fa5 / 30 in err-disable state
****** Cut off the port I49-4500-1 #..... sh int f.5/30 FastEthernet5/30 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet Port, address is 0002 . b90e .3 f 4d (bia 0002.b90e .3 f 4d) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1 / 255, rxload 1 / 255 I49-4500-1 #.... ..
? Users to access IP address, the user can not modify the IP or MAC, if the user must also modify the network IP and MAC IP and MAC internal legal order, for this modification can use the following techniques mentioned IP Source Guard to prevent. The following table manually specify the IP of the report:
3w0d:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/30, vlan 1. ([000d.6078.2d95/192.168.1.100/0000.0000.0000/192.168.1.100/01: 52:28 UTC Fri Dec 292 000])
4 IP / MAC fraud prevention
4.1 Common types of spoofing attacks and purpose
Common type of deception has deceived MAC, IP deception, IP / MAC deception, false identity for the purpose of or access to the general for the IP / MAC privileges. When the current is more aggressive behavior: If Ping Of Death, syn flood, ICMP unreacheable Storm, another virus and Trojan attacks are typical, the following is an example of Trojan horse attacks.
4.2 attack instances
The figure for the forged source address attack attack, its destination address for the public Internet DNS server to direct objective is to pass on the forged source address of the DNS server and wait for the response, resulting in DDOS attacks, and thus expand the attack effect. The attacks on tens of thousands of packets per second, mid-range switch 2 minutes to a standstill, according to the indirect consequences become very large.
4.3IP/MAC fraud prevention
IP Source Guard technical configuration in the switch supports only Layer 2 port in the configuration, through the following mechanisms can guard against IP / MAC deception:
? IP Source Guard to use DHCP sooping binding table information.
? Configure the switch ports, and entry into force of the port.
? Operating mechanism is similar to DAI, but only check the IP Source Guard ARP packet, all through the definition of IP Source Guard inspection port must detect packet.
? IP Source Guard inspection of the flow through the interface to the IP address and MAC address is the DHCP sooping binding table, if not bound in the table is blocking the traffic. Note If you need to check the MAC needs to support DHCP server Option 82, while allowing the router to support Option 82 information.
Configure the switch through the IP Source Guard:
? Can filter out illegal IP address that contains the user deliberately changes and virus attacks caused.
? Resolve IP address conflicts.
? Provides dynamic establishment of IP + MAC + PORT table and bind the corresponding relations that do not use the DHCP server and some special cases the machine can be used to add manually using the corresponding static global command related to the binding table.
? Configure IP Source Guard interface to the initial blocking all non-DHCP traffic.
? Can not prevent "middle attack."
For the IP on the router can also be cheating to use urpf technology.
4.4 Configuration example:
Detection of IP + MAC interface
IOS global configuration command: ip dhcp snooping vlan 12,200 ip dhcp snooping information option ip dhcp snooping
Interface configuration command: ip verify source vlan dhcp-snooping port-security switchport mode access switchport port-security switchport port-security limit rate invalid-source-mac N
/ * Control port can learn the source MAC rate, only when the IP + MAC also makes sense detection.
Testing the IP interface
IOS global configuration command ip dhcp snooping vlan 12,200 no ip dhcp snooping information option ip dhcp snooping
Interface configuration command: ip verify source vlan dhcp-snooping
Do not use DHCP to static configuration
IOS global configuration command: ip dhcp snooping vlan 12,200 ip dhcp snooping information option ip dhcp snooping ip source binding 0009.6b88.d387 vlan 212 10.66.227.5 interface Gi4 / 5
5 IP address management and virus prevention of new ideas
5.1IP Address Management
In summary configure Cisco switches through these characteristics, not only to solve some typical problems prevent attacks and viruses, but also the traditional IP address management provides a new way of thinking.
Through a number of technology to solve the above conventional DHCP server using the client IP address management problems:
? Deliberately do not use a static IP address and manually specify the DHCP assigned address conflicts
? Configure DHCP server
? Use a static IP specified problems
? Does not use assigned IP addresses and servers or other address conflict
? Is not easy to locate specific IP address and switch port mapping table
Important to use a static address server and the computer can be statically bound IP + MAC, IP + MAC + PORT, manually configure the DAI and IP Source Guard binding table entry, to protect the equipment, but also to prevent attacks from these devices .
For the continuous current network virus outbreaks, more and more users starting to focus on the management of PC users who can access the network concerned, can do after the visit, what things do, this is what we always said AAA certification, in addition to these Users want to quickly navigate to the user in which switches, which port to which IP and MAC landing, so there has been "AAA + A" (Authenticate, Authorize, Account, Address) concept.
Through the above configuration we have at the network level can locate the user, and with 802.1X authentication at the network level can be the identity of the user authorization for the user to achieve the "AAA + A".
Further use of computers to audit the user with the conditions, such as system patches, anti-virus software and patches are installed, such conditions can be considered the Cisco Network Admission Control NAC.
5.2 Using DHCP Snooping, DAI, IP Source Guard technology will solve the problems relating to virus
Since most of the local area network against larger viruses are typical of the deceit and scan, fast contracting, a large number of ARP requests and other features, using the technology to a certain extent can be automatically cut off the virus source, timely warning and accurately locate the virus source.