Sniffing attacks overview
MAC floodingβ
MACβ
- MAC address is a unique identifier of a network node.
- E.g.
52:54:00:e5:83:bb
- First three sets (
52:54:00
): Manufacturers signature - Last three sets is set in different ways depending on manufacturers
- First three sets (
- Embedded in the device (firmware or some read-only part of the device)
- In a network, each device has its own MAC address
- Associates the device with a physical port
- π€ If your MAC address is logged, police can use it to contact the manufacturer to ask who purchased the device.
- Difficult to trace it if it was paid by cash.
- π‘π€ You may have free WiFi forever if you can change your MAC address.
- Usually checked in public places e.g. in an airport when they give you free WiFi.
Content Addressable Memory (CAM) tableβ
- Used by switches
- Stores all available MAC addresses and their virtual LAN parameters for each port.
- Possible to sniff by flooding it.
MAC flooding attackβ
- Flooding the switch with thousands of MAC address mappings such that it cannot keep up.
- When the table can't keep up it starts sending every message out to every port.
- I.e. switch is forced to behave as a hub.
- Allowed by the fixed size of the CAM table.
- Steps:
- Send large number of fake MAC addresses to the switch until CAM table becomes full
- Switch enters fail-open mode
- where it broadcasts the incoming traffic to all ports on the network
- Attacker (with promiscuous mode) starts sniffing the traffic passing through the network.
- Can be followed up using ARP spoofing to retain access to data after switches recover.
- See also MAC spoofing
DHCP attacksβ
DHCP introductionβ
- DHCP: Dynamic Host Configuration Protocol
- Client/server protocol
- Used by routers as they start a DHCP server
- Server provides following to DHCP-enabled clients:
- IP addresses
- Configuration information
- Time period of the lease offer
- A possible way to drop connection of others in network is to brute-force DHCP server with "returning lease" messages.
- It'll force everybody to lose connection and request IP addresses again
DHCP snoopingβ
- Layer 2 security feature
- Built into operating system of a capable network switches
- Filters, rate-limits suspicious DHCP traffic
- Builds and maintains the DHCP snooping binding database
- Also known as DHCP snooping binding table
- Stores MAC + assigned IP + VLAN and switch ports
- Uses to validate subsequent requests from untrusted hosts.
- π Dynamic ARP Inspection (DAI)
- Defense against too many incoming ARP broadcasts.
- Each port on VLAN is untrusted by default
- Each IP to MAC conversion is validated using DHCP snooping binding database.
DHCP starvationβ
- Exhaust all available addresses from the server
- Exploits that DHCP has a limited number of ip addresses to lease.
- A type of Denial of Service attack
- Flow
- Starve it, and no new clients will be able to connect
- Attacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC addresses.
- Available IP addresses in the DHCP server scope becomes depleted.
- DHCP server becomes unable to allocate configurations to new clients and issue any IP addresses
- Set-up rogue (fake server) to respond to the discovery requests
- Attacker sets up a rogue DHCP server to respond to DHCP discovery requests.
- If a client accepts the rogue server as its DHCP server, then the attacker can listen to all traffic going from or to the client.
- Starve it, and no new clients will be able to connect
- Tools
DHCP starvation countermeasuresβ
- Authentication
- Configure DHCP snooping
- Trusted sources
- βVulnerable to mimicing them
Port securityβ
- Allows traffic from a specific MAC address to enter to a port
- Only allowing one MAC through a port
- Only one IP at a time can be requested
- β Vulnerable to spoofing MAC addresses
DNS poisoningβ
DNS introductionβ
- Domain Name Server
- π Protocol that resolves domain names into IP addresses using default port 53.
- Stores domain name and IP address pairs in a DNS table.
DNS poisoning attackβ
- π Also known as DNS cache poisoning and DNS spoofing
- π Manipulating the DNS table by replacing a legitimate IP address with a malicious one
- E.g. redirecting
cloudarchitecture.io
to attackers IP address.
- E.g. redirecting
- π€ Used for internet censorship in many countries.
- Flow
- Attacker makes DNS request to target
- DNS server asks the root name server for the entry
- Attacker floods the DNS server with a fake response for the targeted domain until legitimate response from root server is ignored
- The poisoned entry remains in cache for hours and even days
- Can be used after ARP poisoning through DNS spoof plugin of Ettercap.
- Can be followed up with e.g. β’ man-in-the-middle attacks β’ website defacement attacks
DNS poisoning countermeasuresβ
- Active monitoring
- Monitor DNS data for new patterns such as new host
- E.g. by using intrusion detection system (IDS)
- Keep DNS servers up-to-date
- Updated versions have port randomization and cryptographically secure transaction IDs against attackers.
- Randomize source and destination IP, query IDs, during name requests
- Makes harder for attackers to send spoofed responses as it'd be harder to guess the address and query ID.
- Use HTTPS and/or TLS for securing the traffic
- Also known as DNS over HTTPS (DoH) and DNS over TLS (DoT)
- SSL and TLS use certificates to verify the identity of the other party.
- So although they do not protect against cache poisoning itself, the certificates help to protect against the results
DNSSEC (Domain Name System Security Extension)β
- Developed by The Internet Engineering Task Force (IETF)
- Open standards organization, which develops and promotes voluntary Internet standards
- Help verifying the true originator of DNS messaging
- π Provides secure DNS data authentication by using digital signatures and encryption.
- Adds cryptographic signatures to existing DNS records, stored in DNS name servers.
- Widely considered one of the greatest cache poisoning prevention tool as a defense
- Allows verifying that a requested DNS record comes from its authoritative name server and wasn't altered, opposed to a fake record injected in a man-in-the-middle attack.
- Chain of trust: E.g.
cloudarchitecture.io
's signature is verified by.io
signature that is verified by root certificate (signed by IANA)- IANA: Centrally coordinates Internet for DNS Root, IP addressing, and other Internet protocol resources.
VLAN hoppingβ
VLANβ
- π Allows multiple separate LANs/networks on same switch through logical grouping
- Provides network separation
- Hosts one one VLAN does not see hosts on other one
- Port-based VLAN
- Designate set of ports on the switch
- account department VLAN, shipping department VLAN..
- Connect devices to right ports each group is a VLAN
- Designate set of ports on the switch
- Tag-based VLAN aka IEEE 802.1q VLANs
- Basically a tags frames with which VLAN it belongs to
- Frame = Primitive packet on layer 2
- Tagged frame = IEEE 802.1q frame
- Can tag/assign based on e.g. 802.1x
- Basically a tags frames with which VLAN it belongs to
- Trunk (=802.1q link)
- Allows sharing VLANs (VLAN IDs) between switches
VLAN hopping attackβ
- Attacking host on a VLAN to gain access to traffic on other VLANs
- E.g. using Frogger
- Switch spoofing
- Attacking host imitates a trunking switch
- Double tagging
- Attacker prepends two VLAN tags to frames
- Second tag is the target host
- First switch removes first innocent VLAN tag and sends packet to second switch.
- Allows bypassing security mechanisms and reaching the target hosts.
- Replies are not forwarded to the attacker host
OSPF attacksβ
- Forms a trusted relationship with the adjacent router
- Usually these attacks go undetected
- Remote attacks: caused by misconfigurations
OSPF: Open Shortest Path Firstβ
- Most popular routing protocol for IP networks
- Dynamically discovers neighbors like RIPv2 and BPG (Border Gateway Protocol)
- Used by e.g. internet service providers (ISP) and cloud providers for hybrid communication
Compromised router attacksβ
- Placing a rogue router in target network e.g. remote branch/headquarters
- Allows attacker to inject routes to redirect traffic for MITM attacks or DoS attacks.
- Attacker learns about that entire routing domain such network types, links etc
OSPF attacks countermeasuresβ
- π Configure OSPF to authenticate every OSPF message
- Routers must pass the authentication process before becoming OSPF neighbors.
- Monitor OSPF neighbors for eavesdropping through e.g. a SIEM