car nbar layer2 block

8/3/2019 Car Nbar Layer2 Block

1/34


2/34

222222SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.

Network Attack & Threat MitigationTim Ryan

Systems Engineer Cisco SystemsSoutheast Coastal Operation


3/34


PolicyThe Security Foundation

Enterprise-widesecurity policy

Who can seewhat information?

Who can change it?

From where?

How protected is it?What are the assets ?

What is the cost ?

UNIVERSALPASSPORT

USA


4/34


The Security E-Co System

Security Functions atseveral layers.

Client / Server

Software Firewalls

Intrusion Detection

URL filtering

Virus Checking

Encryption

User Authentication

ApplicationsServers

Network Access& User Access

Intrusion DetectionFirewalls

Authentication

Logging

Physical Access


5/34


Security Agenda

Denial of Service Attack Limiting

Code Red/Nimda Threat Mitigation

Intrusion Detection Considerations

Ethernet Switch Attacks Layer 2


6/34


Rate Limiting as a Security Tool

Why would anyone want to send over 45

Mbps of ICMP Traffic?If they did, how would you stop it?

Answer - Rate Limit the badtraffic

Committed Access Rate (CAR)


7/34777777SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.

Committed Access Rate to MinimizeDDOS/DOS attacks

The Internet Customers

Layer-3CAR Filter

Layer-3 Input and Output Rate Limits specifically Input RateLimits

Security Filters use the Input Rate Limit to drop packets beforethere are forwarded through the network.

Aggregate and Granular Limits

Port, MAC address, IP address, application, precedence

Excess Burst Policies




Limit all ICMP echo and echo-reply traffic received at the borders to256 Kbps with a small amount of burst:

! traffic we want to limit

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

! interface configurations for borders

interface Serial3/0/0

rate-limit input access-group 102 256000 8000

8000 conform-action transmit exceed-action drop Multiple rate-limit commands can be added to an interface in order

to control other kinds of traffic as well.From:

http://www.cisco.com/warp/public/707/newsflash.html




Use CAR to limit TCP SYN floods to particular hosts --without impeding existing connections. Someattackers have started using very high streams of TCPSYN packets in order to harm systems.

This example limits TCP SYN packets directed at host 10.0.0.1 to 8 kbps or

so:! We don't want to limit established TCP sessions -- non-SYN packets

access-list 103 deny tcp any host 10.0.0.1 established

! We do want to limit the rest of TCP (this really only

includes SYNs)access-list 103 permit tcp any host 10.0.0.1

! interface configurations for network borders

interface Serial3/0/0

rate-limit input access-group 103 8000 8000 8000

conform-action transmit exceed-action drop



ISP and Enterprise Security

Strategies to protect against DDOS attacks..

http://www.cisco.com/warp/public/707

White papers here contain information to help you:

understand how DDoS attacks are orchestrated

recognize programs used to facilitate DDoS attacks

apply measures to prevent the attacks

gather forensic information if you suspect an attack

learn more about host security



Code Red / Nimda Detection and Control

Host IDS will stop thisperiod.

Patched Microsoft Servers will stop this per Microsoft

Intrusion Detection Sensors will alarmon this and can then block attacks

NBAR- Configured on a Cisco Routerwill stop most attacks



NBARNetwork Based Application Recognition

Tag Data coming into your Network

policy-map police-inbound-http-hacksclass http-hacksset ip dscp 1

Int ethernet 0/0service-policy input mark-inbound-http-hackclass-map match-any http-hacks

match protocol http url "*default.ida*"match protocol http url "*x.ida*"match protocol http url "*.ida*"match protocol http url "*cmd.exe*"match protocol http url "*root.exe*"match protocol http url "*readme.exe*"

match protocol http url "*readme.eml*"

ISPNetwork Customer

Network

Egress from the Internet

Drop Data before it enters networkpolicy-map drop-http-hacks

class http-hackspolice 8000 8000 8000 conform-ac

drop exceed-action drop

interface Eth 0/0service-policy input drop-inbound-

http://www.cisco.com/warp/public/63

/



Intrusion Detection Systems

Host and network

both have their place

False positives

Placement

Alarm or enforce?

SiSi

Attacker

Public Services

Internal Services

Internal Users


14/3414

SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.

Layer 2 Insecurity

Fun with Dsniff


15/34151515151515


Switches vs. Hubs

Hubs

-Single broadcast domain

-All ports see all traffic

-Sniffers work everywhere

Switches

-Multiple broadcast domains, VLANs, etc

-All ports see all broadcasts and trafficdestined for their MAC

-Sniffers work only on SPAN/mirror ports?


16/34161616161616


ARP Refresher

An ARP request messageshould be placed in a hardwareframe and broadcast to allcomputers on the network.

Each computer receives therequest and examines the IPaddress.

The computer mentioned in therequest sends a response; all

other computers process anddiscard the request withoutsending a response.


17/34171717171717


Gratuitous ARP

HOST W: Hey everyone Im host W and my IP Address is 1.2.3.4and my MAC address is 12:34:56:78:9A:BC

Gratuitous ARP is used by hosts to "announce" their IP address to thelocal network and avoid duplicate IP addresses on the network.Routers and other network hardware may use cache informationgained from gratuitous ARPs.

Gratuitous ARP is a broadcast packet (like an ARP request)


18/34181818181818


Hey Tim!. Why do I care?

ARP has no security or ownership of IP or MAC addresses

What if we did the following?

Host W: Hey everyone Im the router and my IP Address is1.2.3.1 and my MAC address is 12:34:56:78:9A:BC

(wait 5 seconds)

Host W: Hey everyone Im the router and my IP Address is

1.2.3.1 and my MAC address is 12:34:56:78:9A:BC

1.2.3.0/24

Host W

.4

.1

Host Y

.2

Host X

.3


19/34191919191919


Test

Host X and Y will likely ignore the message unless theycurrently have an ARP table entry for 1.2.3.1

When host Y requests the MAC of 1.2.3.1 the real router willreply and communications will work until the timer on the

gratuitous ARP (GARP?) kicks off Host Y then receives the GARP and updates his ARP table and

starts sending all traffic destined for 1.2.3.1 to host W.

Even a static ARP entry for 1.2.3.1 on Y will get overwritten bythe GARP on some OSs (NT4 for sure)

1.2.3.0/24

Host W

.4

.1

Host Y

.2

Host X

.3


20/34


Dug Song, Author of dsniff

Dsniff Is Not Your Friend

ARP spoofing

MAC flooding

Selective sniffing

SSH / SSL Interception

www.monkey.org/~dugsong/dsniff


21/34


Arpspoof in Action

C:\>test

C:\>arp -d 15.1.1.1

C:\>ping -n 1 15.1.1.1

Pinging 15.1.1.1 with 32 bytes of data:

Reply from 15.1.1.1: bytes=32 timearp -a

Interface: 15.1.1.26 on Interface 2

Internet Address Physical Address Type

15.1.1.1 00-04-4e-f2-d8-01 dynamic15.1.1.25 00-10-83-34-29-72 dynamic

C:\>arp -a

Interface: 15.1.1.26 on Interface 2

Internet Address Physical Address Type

15.1.1.1 00-10-83-34-29-72 dynamic

15.1.1.25 00-10-83-34-29-72 dynamic

[root@sconvery-lnx dsniff-2.3]# ./arpspoof 15.1.1.1

0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply

15.1.1.1 is-at 0:4:4e:f2:d8:1


15.1.1.1 is-at 0:4:4e:f2:d8:1


15.1.1.1 is-at 0:4:4e:f2:d8:1


15.1.1.1 is-at 0:4:4e:f2:d8:1


22/34


More on Arpspoof

All Traffic now flows through machine runningdsniff in a half-duplex manner

Not quite a sniffer but fairly close Port security doesnt help

Note that attack could be generated in theopposite direction by spoofing the destination

host when the router sends its ARP request(more difficult because of race condition)


23/34


Promiscuous

Port

Promiscuous

Port

CommunityA

CommunityB

IsolatedPorts

Primary VLAN

Community VLAN

Community VLAN

Isolated VLAN

Only One Subnet!

x x x x

ARP Spoof Mitigation: Private VLANs

Consider Local Proxy ARP as an option for host to host communication withoutbroadcasts


24/34


Catalyst CAM Tables

Catalyst switches use hash to place MAC in CAM table

A B C

D E F G

H

I

J K

L M N O P Q R S

1

2

3

.

.

.

16,00063 bits of source (MAC, VLAN, misc) creates a 17 bit hash value.

-if the value is the same there are 8 columns to place CAM entries, if all 8 are

filled the packet is flooded

TFlooded!


25/34


MAC Flooding switches with Dsniff

[root@sconvery-lnx dsniff-2.3]# ./macof

101.59.29.36 -> 60.171.137.91 TCP D=55934 S=322 Syn Seq=1210303300 Len=0 Win=512


109.40.136.24 -> 51.158.227.98 TCP D=59038 S=21289 Syn Seq=2039821840 Len=0 Win2



183.159.196.56 -> 133.10.138.87 TCP D=23929 S=51034 Syn Seq=1263121444 Len=0 Wi2





105.109.246.116 -> 252.233.209.72 TCP D=23840 S=45783 Syn Seq=1072699351 Len=0 2


151.126.212.86 -> 106.205.161.66 TCP D=12959 S=42911 Syn Seq=1028677526 Len=0 W2


226.216.132.20 -> 189.89.89.110 TCP D=26975 S=57485 Syn Seq=1783586857 Len=0 Wi2124.54.134.104 -> 235.83.143.109 TCP D=23135 S=55908 Syn Seq=852982595 Len=0 Wi2









26/34


CAM Table Full!

Dsniff (macof) can generate 155,000 MAC entrieson a switch per minute

Assuming a perfect hash function the CAM tablewill total out at 128,000 (16,000 x 8) 131,052 to beexact

-Since hash isnt perfect it actually takes 70 seconds tofill the cam table

Once table is full, traffic without a CAM entryfloods on the VLAN

CAT6506 (enable) sho cam count dynamic

Total Matching CAM Entries = 131052

10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?

10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?

15.1.1.26 -> 15.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS15.1.1.25 -> 15.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS

Snoop output on non-SPAN port


27/34


Port SecurityBeware management and performance hit

Lots of options besides just ON/OFF

1025 MAC entries into table + 1 per port

Restrict option will fail under dsniff load and disablethe port

MAC flooding mitigation

set port security 3/21 enable age 10 maximum 5 violation

restrict

2001 Jul 03 15:40:32 %SECURITY-1-PORTSHUTDOWN:Port 3/21 shutdown due to no space


28/34


Selective Sniffing

Once traffic is flooded through either ofthe previous two methods Dsniff obtainspasswords

[root@sconvery-lnx dsniff-2.3]# ./dsniff -c

dsniff: listening on eth0

-----------------07/17/01 10:09:48 tcp 15.1.1.26.1126 -> wwwin-apps.cisco.com.80

(http)

GET /SERVICE/Paging/page/ HTTP/1.1

Host: wwwin-apps.cisco.com

Authorization: Basic c2Nvdlgh39UNMRH4lejDmaA== [sconvery:mypassword]

Supports more than 30 standardized / proprietary protocols: FTP, Telnet, SMTP,HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL,Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB,Oracle SQL*Net, Sybase et Microsoft SQL.


29/34


SSL / SSH Interception

Using dnsspoof all web sites can resolve to thedsniff host IP address:

C:\>ping www.amazon.com

Pinging www.amazon.com [15.1.1.25] with 32 bytes of data:

Reply from 15.1.1.25: bytes=32 time


30/34



Using dsniff (webmitm) most SSL sessions can beintercepted and bogus certificate credentials can bepresented


31/34



Upon inspection

they will lookinvalid but theywould likely fool

most users


32/34


New R & D

Two New ARP features being researched

Secure ARP Discovery (SAD) EDCS-129119(reverse dsniff mitigation)

ARP inspection and filtering through ARPredirection on a switch (dsniff mitigation)

Contact Marco Foschiano[[email protected]] with comments /questions


33/34


34/34

SEC 212

car nbar layer2 block

Documents