Académique Documents
Professionnel Documents
Culture Documents
Network Attackers can launch different types of attacks on Spanning Tree Protocol (STP).
One type of Spanning Tree Protocol (STP) attack is to inject superior BPDUs in Layer 2
network. A superior BPDU is a BPDU which has a lower Bridge ID. In a normal network,
superior BPDU's are generated by Root Bridge. If any other switch generate a superior
BPDU, Spanning Tree Protocol (STP) recalculations will happen and the switch which
generated superior BPDU will become the new Root Bridge.
By injecting a superior BPDUs in Layer 2 network, an attacker can cause Spanning Tree
Protocol (STP) recalculations and finally result in re-convergence of the Spanning Tree
Protocol (STP). Attackers can achieve Spanning Tree Protocol (STP) attacks by adding a
rogue switch configured with lower bridge ID, or by using some software which are
available for free download.
When a new rogue Root Bridge is introduced inside Spanning Tree Protocol (STP), all the
traffic from other switches start flowing via the new rogue Root Bridge. Attacker can now
start capturing the network traffic for sensitive data.
Cisco Switches have different features for protection against Spanning Tree Protocol
(STP) attacks. Root Guard, BPDU Guard and BPDU Filter are some features available for
protection against Spanning Tree Protocol (STP) related attacks.
Visit following link to learn more about Root Guard and how to configure Root Guard in
Cisco Switches
BPDU
Guard: BPDU
Guard feature
is
typically
implemented
on
an access
port configured with PortFast. When a BPDU Guard enabled port receive BPDU from the
connected device, BPDU Guard disables the port and the port state is changed to
Errdisable state.
Visit following link to learn more about BPDU Guard and how to configure BPDU Guard in
Cisco Switches
BPDU
Filter: BPDU
Filter feature
is
also
typically
implemented
on
an access
port configured with PortFast. BPDU Filter feature allows you to stop generating BPDUs on
Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the
original Root Bridge with a rogue Root Bridge. When a Root Guard feature enabled switch
port receives a superior BPDU from a rogue switch, the state of the port is changed into
a root-inconsistent state, thus enforcing the position of original Root Bridge. Once the
port state is changed into root-inconsistent state (similar to STP listening state), no user
data is sent via that port. However, after the flow of superior BPDUs is stopped, the port
state will change back to the forwarding state. In other words, Root Guard feature of
Cisco Switches prevents a Designated Port from becoming a Root Port.
Root Guard feature can be enabled on switch ports that is connected to other switches
that should never become a Root Bridge. For example, a port on the distribution layer
switch which is connected to an access layer switch can be Root Guard enabled, because
the access layer switch should never become the Root Bridge.
BPDU Guard feature can be enabled globally at Global configuration mode or per
interface
at Interface
configuration
mode.
When
BPDU
Guard
enabled
port
receive BPDU from the connected device, BPDU Guard disables the port and the port
state is changed to Errdisable state.
OmniSecuSW1#
Below configuration commands disable BPDU Guard on all PortFast edge ports.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#no spanning-tree portfast edge bpduguard default
OmniSecuSW1(config)#exit
OmniSecuSW1#
BPDU Filter feature can be enabled globally at Global configuration mode or per interface
at Interface configuration mode.
BPDU Filter feature act in two different ways when it is configured on Global level or
Interface level. If BPDU Filter feature is enabled on a Global level, BPDU Filter is applied
to all Spanning Tree Protocol (STP) PortFast enabled ports. If any BPDUs are received on
that port, the PortFast feature is disabled and the port will become a normal STP port.
When BPDU Filter is enabled on Interface level, BPDU Filter will not send out BPDUs and
avoid the processing of received BPDUs. This behaviour can completely disable Spanning
Tree Protocol (STP) on that interface. Beware... This can potentially create damage to the
network by forming alayer 2 switching loop, if switches are connected to BPDU Filter
enabled port (at interface level) accidently.
Below configuration commands disable BPDU Filter on all PortFast edge ports.
OmniSecuSW1#configure terminal
Another type of network attack which is targeted to DHCP servers is known as DHCP
starvation attack. In a DHCP starvation attack, an attacker broadcasts large number
of DHCP REQUEST messages with spoofed source MAC addresses. If the legitimate
DHCP
Server
in
the
network
start
responding
to
all
these
bogus DHCP
REQUEST messages, available IP Addresses in the DHCP server scope will be depleted
Once the available number of IP Addresses in the DHCP server is depleted, network
attackers can then set up a rogue DHCP server and respond to new DHCP requests
from network DHCP clients. By setting up a rogue DHCP server, the attacker can now
launch DHCP spoofing attack.
attacks.
DHCP snooping is a DHCP security feature which provides protection from DHCP
starvation attacks by filtering untrusted DHCP messages.
DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP
snooping feature can be used to differentiate between untrusted interfaces (where
DHCP clients are connected) and trusted interfaces (where a DHCP server or another
switches are connected).
Trusted ports (where a DHCP server or other switches are connected) can source all
types of DHCP messages, including DHCP OFFER message.
Untrusted ports are the ports where DHCP clients are connected. Untrusted switch
ports cannot source DHCP messages like : DHCPOFFER,DHCPACK, DHCPNAK, which are
normally generated by a DHCP server. By default, all switch ports are untrusted.
When DHCP snooping is enabled, Cisco switches build a table known as DHCP
snooping binding database (known as DHCP snooping binding table).
DHCP snooping binding table is used to identify and filter untrusted DHCP messages
from the network. DHCP snooping binding table keeps track of DHCP addresses that
are assigned to switch ports. DHCP snooping binding table includes the client MAC
address, IP address, DHCP lease time, binding type, VLAN number, and interface
information on untrusted switch ports.
When a switch receives a packet on an untrusted switch port where DHCP snooping is
enabled, with the help of information stored on DHCP snooping binding table the
switch will be permitted or denied.
The packet is denied when
DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping
OmniSecuSW1(config)#exit
OmniSecuSW1#
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping vlan 500
OmniSecuSW1(config)#exit
OmniSecuSW1#
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip dhcp snooping trust
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
IpAddress
Lease(sec)
---------------
Type
----------
VLAN
Interface
-------------
----
00:00:AB:19:C6:00
Gigabitethernet0/1
172.16.10.183
690515
dhcp-snooping
500
00:00:AB:34:CB:00
Gigabitethernet0/2
172.16.10.184
690518
dhcp-snooping
500
00:00:AB:2A:FE:00
Gigabitethernet0/3
172.16.10.182
690512
dhcp-snooping
500
00:00:AB:F7:D0:00
Gigabitethernet0/4
172.16.10.181
690512
dhcp-snooping
500
00:00:AB:93:82:00
Gigabitethernet0/5
172.16.10.185
690518
dhcp-snooping
500
Interface
Trusted
Allow option
-----------------------
-------
------------
----------------
Ethernet0/0
yes
yes
unlimited
Custom circuit-ids:
OmniSecuSW1#
Address Resolution Protocol (ARP) spoofing attack is a type of network attack where an
attacker sends fake Address Resolution Protocol (ARP) messages inside a Local Area
Network (LAN), with an aim to deviate and intercept network traffic.
In normal Address Resolution Protocol (ARP) operation, when a network device sends
a ARP
request (as
broadcast)
to
find
a MAC
addresscorresponding
to
an IPv4
address, ARP reply comes from the legitimate network device which is configured with
the IPv4 address which matches the ARP request. The ARP reply is cached by the
requesting device in its ARP table.
A
network
attacker
can
(ARP) operation
by
responding ARP request, posing that it has the requested IPv4 address. Once the
attacker's MAC address is mapped to a authentic legitimate IPv4 address, the attacker
will begin receiving any data that is intended for that legitimate IPv4 address. Now the
attacker can launch a man-in-the-middle attack can start capturing the network traffic
for any sensitive user data.
Attacker can also broadcast Gratuitous ARP message with the IPv4 address of default
gateway. Gratuitous ARP is a broadcast packet is used by network devices to announce
any
change
in
their IPv4
address or MAC
address .
By
sending Gratuitous
ARP
message with the IPv4 address of default gateway, attacker can pose as default
gateway and capture all the network traffic moving outside the Local Area Network
(LAN).
Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing
attacks. Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled,
Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. If a
mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard
spoofed ARP packets. DAI uses the DHCP snooping binding database to validate
bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted
ports.
Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command
"ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a
port as trusted, use the command "ip arp inspection trust", at the interface level.
specific VLAN
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip arp inspection vlan 500
OmniSecuSW1(config)#exit
OmniSecuSW1#
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip arp inspection trust
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
External Resources
IP Source Guard (IPSG) feature uses the information in the DHCP Snooping
binding database to dynamically create Port ACL's. IP Source Guard (IPSG)
can use static IP binding entries also. The IP Source Guard (IPSG) feature
permits only Internet Protocol (IP) traffic which has a source IP address
matching the entry in the DHCP Snooping binding database. Thus IP Source
Guard (IPSG) feature prevents a network device from transmitting an IP
datagram using a different source IP address other than which it was
assigned via Dynamic Host Configuration Protocol (DHCP).
Make sure that you have configured DHCP snooping feature properly before
these configuration steps. Click the following link to learn how to configure
DHCP snooping.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip verify source
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
Filter-type
Filter-mode
IP-address
Mac-
address
Vlan
----------------------------------- ---Et0/0
1
-----------
ip
active
---------------
172.16.10.175
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#switchport port-security
OmniSecuSW1(config-if)#ip verify source port-security
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
Filter-type
Vlan
Filter-mode
----------------------------------- ---Et0/0
ip-mac
00:00:AB:5E:C9:00 1
IP-address
-----------
active
Mac-
---------------
172.16.10.175
IpAddress
Lease(sec)
----------------------------------
Type
----------
00:00:AB:99:88:00
172.16.10.178
snooping
1
Ethernet0/3
689555
dhcp-
00:00:AB:9D:BC:00
172.16.10.176
snooping
1
Ethernet0/1
689549
dhcp-
00:00:AB:5E:C9:00
172.16.10.175
snooping
1
Ethernet0/0
689539
dhcp-
00:00:AB:D4:02:00
172.16.10.177
snooping
1
Ethernet0/2
689555
dhcp-
Virtual LANs (VLANs) are used to create separate broadcast domains within a Local Area
Network (LAN). A Virtual LAN (VLAN) is a broadcast domain and is also a separate IP
Private VLANs (PVLANs) feature can be used to create Secondary VLANs inside a
Primary VLAN. Primary VLANs are just normal VLANs. Secondary VLANs are also
created as normal VLANs, but it is later associated with a Primary VLAN.
Secondary VLANs can be in any one of the following modes.
Isolated VLAN: The network devices attached to the ports associated with an
Isolated private VLAN cannot communicate with one another. They can communicate
with a Promiscuous port within the same Private VLAN (PVLAN).
Community VLAN: The network devices attached to the ports associated with
Community VLAN can communicate with one another. They can also communicate
with a Promiscuous port within the Private VLAN (PVLAN).
Following are the three types of Private VLAN (PVLAN) ports.
Promiscuous Port: A promiscuous port can communicate with all interfaces inside
the Private VLAN (PVLAN), including the isolated and community ports.
Isolated Port: An Isolated port cannot communicate with other ports within the
same PVLAN, except the promiscuous ports. PVLANs block all traffic to isolated ports
except traffic from promiscuous ports.
Community Port: Community ports can communicate among themselves and with
the promiscuous ports. Community ports cannot communicate with interfaces in other
communities or isolated ports.
Note: Only one secondary Isolated type VLAN can be associated to a Primary VLAN.
Multiple secondary type Community VLANs can be associated to a Primary VLAN.
To create a Secondary VLAN and define it as Isolated type, follow these steps.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vlan 250
OmniSecuSW1(config-vlan)#private-vlan isolated
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
To create a Primary PVLAN and associate Secondary PVLANs with Primary PVLAN, follow
these steps.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vlan 50
OmniSecuSW1(config-vlan)#private-vlan primary
OmniSecuSW1(config-vlan)#private-vlan association 150,250
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
To configure a port as Community PVLAN port, follow these steps. Remember we had
configured PVLAN 150 as Community type in previous steps.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/1
OmniSecuSW1(config-if)#switchport mode private-vlan host
To configure a port as Isolated PVLAN port, follow these steps. Remember we have
configured PVLAN 250 as Isolated type in previous steps.
OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/2
OmniSecuSW1(config-if)#switchport mode private-vlan host
OmniSecuSW1(config-if)#switchport private-vlan host-association 50 250
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit