Learning IINS (part 4) – L2 Security

CAM overflow attacks

  • CAM – Content Addressable Memory
  • Switch = Hub + CAM
  • CAM table is built based-on Source Mac Address
  • CAM table is not infinite in size
  • CAM Overflow Attack  ~  Mac flooding attack (tool as macof): Attacker floods a single port on the switch with a lot of frames that contain different source mac addresses. The CAM table be quickly full & Switch works like a HUB (fail-over mode). At this time, attacker can sniffer all network traffic.

Mitigation

We can use Port-security feature to mitigation this type of attack.

  • Enable Port-security:

Switchport mode access (*only applicable to access ports – NOT trunks*)

Switchport port-security (*per interface*)

  • Set maximum number of MAC Addresses that Switch can be learned on a port:

Switchport port-security maximum 3

  • Set violation mode for the port:

Switchport port-security violation {protect | restrict | shutdown | shutdown vlan}

protect silently drops

restrict drops and sends notification via SNMP trap or

syslog messages

shutdown shutdown the port (error-disabled state), changes the led state and send notification

shutdown vlan 5 same as shutdown, but only applys to the specific VLAN

  • Set static mac-addresses to allow:

Switchport port-security mac-address abcd.efgh.1234

  • Enable sticky learning of secure MAC addresses on a port:

Switchport port-security mac-address sticky

“Sticky secure MAC addresses—These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.”

  • Configure Aging for secure MAC addresses:

Switchport port-security aging {static | time| type}

  • Verify configuration:
    • Show port-security
    • Show port-security address
    • Show port-security int fa0/1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s