Traffic Eavesdropping
• Easy on shared media LANs
• Still possible on switched LANs
• e.g. flood or trick the bridge address table
• Easy on wireless LANs
• Possible to install physical splitter/tap/hub/bridge
• Would you see a physical something?
• Does the link bounce? Would you notice that?
LAN Bridge/Switch Attacks
• Overflow MAC address tables to cause flooding
• Typical gear can hold a few thousand addresses
• MAC addresses = 48 bits or >> a few thousand
• Spoof spanning tree BPDU messages
• Take over as root/designated bridge
• Cause continuous topology recomputations
• Forge VLAN, priority or aggregation tags
• Spoof PAUSE (flow control) frames (gig only)
• DDoS/floods, broadcast storms
Preventing LAN Bridge Attacks
• Monitor MAC address tables
• Manually set root bridge and monitor
• Use knobs like Cisco's BPDU and Root Guard
• Manually set and prune trunked switch ports
• Use 802.1x port authentication
ARP-based Attacks
• ARP request spoofing
• Responders to a request cache the sender's info
• As do others who already have the sender's info
• ARP update spoofing (gratutious ARP)
• Thinking out loud:
• Is UNARP widely used? No.
• Can we poison ARP entries to = group address?
Preventing ARP-based Attacks
• Use LAN switches with one port per end host
• Enable port security to limit source MAC addresses
• Use 802.1x port authentication
• Enable (get) knobs on end hosts to validate ARPs
• How to best do this?
• Monitor LAN bridge/switch address tables
• Monitor router ARP tables
• Keep history of address/ARP tables
• FYI... vendors must support knobs (at line rate)
No comments:
Post a Comment