Understanding and Preventing L2 Attacks Series Index
This is the final post in the Layer 2 Attack Series.
We will go over a few more common attacks and how to prevent them. Of course, there are additional L2 attacks, but with the covered mitigation techniques, you are infinitely closer to a secure L2 environment, regardless of the actual attack vector.
Switches record every inbound instance of a MAC Address in a database called the CAM Table. For example, when MAC Address AAAA.BBBB.CCCC attaches to switchport g1/0/1, the switch will record this information in the CAM. Now, when anyone else on the network wants to talk to AAAA.BBBB.CCCC, the switch simply sends the data out of port g1/0/1.
On a Cisco switch, there is a configurable timeout called the MAC Aging Time which has a default value of 5-Minutes (300 Seconds). The aging time simply means that if the switch doesn’t hear from a particular MAC Address for 300 seconds, it will remove it from the CAM Table.
The CAM Table has a finite amount of space that can be used to record the MAC Addresses. This varies from platform to platform and in a large environment, the CAM Table limit can actually become an issue with or without a CAM Overflow attack. These limits are listed in the Cisco Data sheet, typically under a heading of “Total number of MAC addresses”. For example, a 3850-x can hold a maximum of 32,000 addresses at any given time.
The question becomes, what happens when the table is completely full, and the switch receives traffic for a MAC Address that isn’t in the table? The answer is it floods the incoming traffic out of all ports that are within the same VLAN as the source. In other words, the switch becomes a hub. Since all ports receive the traffic, an attacker only needs to run a simple packet capture to view the data. In addition, this can also lead to a DoS attack as the switch is spending all of its resources keeping up with the attacker.
The attack is rather simple, the attacker changes their MAC Address, programmatically, thousands of times per second. That’s it.
Note: The demonstration uses a virtual switch platform that has a massive CAM Table space. The massive space is unique to the virtual platform. In this case, the switch would simply crash long before we are able to complete the attack. However, we can still demonstrate the process.
ARP comes in two flavors, the first is the common version you are likely familiar with. It is a simple broadcast on the L2 network – “If you have IP Address x.x.x.x, please send me your MAC Address”. Every device in the same subnet receives this message. The devices that don’t have IP x.x.x.x, simply drop it. The device that does have x.x.x.x, replies to the query “I have IP x.x.x.x, and my MAC Address is X”.
The second flavor is called a “Gratuitous ARP.” In this case, a device effectively sends the ARP Reply, without ever having received the ARP Request. It simply says, “My IP is x.x.x.x and my MAC Address is X”. The Normal ARP Process
The Gratuitous ARP Process
In both cases, the receiving endpoint updates its ARP Table with the IP to MAC Mapping.
In an ARP Attack, the Gratuitous ARP is sent to the workstation and the router to trick both into thinking each other’s IP is reachable via the MAC Address of the attacker.
The result is when the workstation has traffic for 10.0.0.1, it sends it to MAC CCCC.CCCC.CCCC. When the router has traffic for 10.0.0.123, it also sends it to MAC CCCC.CCCC.CCCC. The attacker PC can then take a copy of the traffic and ultimately forward it to its legitimate destination. Thus, neither the router nor the workstation ever knows there was a problem.
VLAN Hopping Attack
The VLAN hopping attack I will demonstrate is rather simple. By default, right out of the box, most Cisco switches will attempt to form a trunk with anyone that asks. This default behavior makes working with Cisco switches very easy for a novice but opens a huge security risk. The attack is simple, the attacker workstation will attach to a completely unconfigured port, form a trunk with the switch, and gain access to any VLAN on the entire network.
Preventing the attacks listed above is not difficult to implement but can be time-consuming in a large environment. It’s a great use-case for automation, especially in a large environment.
Cam Overflow Mitigation
The best option outside of a NAC solution, such as Cisco ISE, is to use port-security. Port-Security gets a bad name as it is difficult to manage and is often not configured properly. Plus, the more advanced port-security features do not scale well and create a lot of administrative overhead. We are going to use port-security sparingly and only to prevent this specific attack. In this case, it will be a “set and forget” and the only time it will engage, is exactly when it is supposed to.
ARP Attack Mitigation
To prevent this type of attack, you need DHCP Snooping (covered in a previous post), plus a technology called “DAI” or Dynamic APR Inspection. DAI uses the DHCP Snooping database to confirm each ARP received, matches an existing DHCP Lease.
Let’s say I join the network with my MAC Address AAAA.AAAA.AAAA and get a DHCP Lease of 10.0.0.1. The DHCP Snooping process will record this transaction in its database. Moments later you send a gratuitous ARP “My IP Address is 10.0.0.1 and my MAC Address is BBBB.BBBB.BBBB”. When the switch receives the ARP, it compares the IP/MAC combination you sent, with the entry it has for me. If they don’t match the packets are dropped and the attack fails.
VLAN Hooping Attack Mitigation This type of attack is mitigated with simple best practices, nothing fancy. It looks like this:
Never use VLAN 1 for any reason.
Disable DTP on all ports. If you want a trunk, create one manually.
Create an unused VLAN, say VLAN 999.
Place all unused ports in VLAN 999 and shut them down.
Use BPDU Guard on all non-trunk ports. a. BPDU Guard will simply shut down any port that is not a trunk and receives a BPDU.
Use an unused VLAN as your native VLAN on all trunks.
Without DTP, there is no automatic trunk formation. Thus, the only thing you have to worry about is attackers getting into VLAN 999 if a port is accidentally enabled. However, VLAN 999 is not being used by any production traffic. In other words, the worst-case scenario is you have a bunch of attackers, all in VLAN 999, all attacking each other. 😊 If that’s not a fun day at work, I don’t know what is.
We have covered numerous attacks in this blog and showed how to protect from each. The methods are relatively simple to mitigate, but in a large environment can consume many man hours. If you need assistance with securing layer 2 in your environment, please reach out to email@example.com.