Table of Contents
Advertisement
■
Switches have MAC address table sizes that are limited in size. Typically, a network
intruder floods the switch with a large number of invalid source Media Access
Control (MAC) addresses until the CAM table fills up. When that occurs, the switch
floods all ports with incoming traffic because it cannot find the port number for a
particular MAC address in the MAC table; table overflow attack can be mitigated by
configuring or implementing port security on the switch. Port security provides a
mechanism to specify the number of MAC addresses on a particular switch port or
specify of the number of MAC addresses that can be learned by a switch port.
MAC spoofing attacks involve the use of a known MAC address of another host to
■
attempt to make the target switch forward frames destined for the remote host to the
network attacker; use the port security feature to mitigate MAC spoofing attacks.
Port security provides the capability to specify the MAC address of the system con-
nected to a particular port.
ARP is used to map IP addressing to MAC addresses in a LAN segment where hosts
■
of the same subnet reside. Normally, a host sends out a broadcast ARP request to
find the MAC address of another host with a particular IP address, and an ARP
response comes from the host whose address matches the request. The requesting
host then caches this ARP response. Within the ARP protocol, another provision is
made for hosts to perform unsolicited ARP replies. The unsolicited ARP replies are
called Gratuitous ARP (GARP), which can be exploited maliciously by an attacker to
spoof the identity of an IP address on a LAN segment. This is typically used to
spoof the identity between two hosts or all traffic to and from a default gateway in a
"man-in-the-middle" attack. Dynamic ARP inspection determines the validity of an
ARP packet based on the valid MAC address to IP address bindings stored in a
DHCP snooping database. Additionally, dynamic ARP inspection can validate ARP
packets based on user-configurable access control lists (ACL). This allows for the
inspection of ARP packets for hosts that use statically configured IP addresses.
Dynamic ARP inspection allows for the use of per-port and VLAN Access Control
Lists (PACL) to limit ARP packets for specific IP addresses to specific MAC
addresses.
A DHCP starvation attack works by the broadcast of DHCP requests with spoofed
■
MAC addresses. If enough requests are sent, the network attacker can exhaust the ad-
dress space available to the DHCP servers for a period of time. The network attacker
can then set up a rogue DHCP server on his system and respond to new DHCP re-
quests from clients on the network. DHCP snooping can be used to help guard
against a DHCP starvation attack. DHCP snooping is a security feature that filters un-
trusted DHCP messages and builds and maintains a DHCP Snooping binding table.
The binding table contains information such as the MAC address, IP address, lease
time, binding type, VLAN number, and the interface information that corresponds to
the local untrusted interfaces of a switch.
Chapter 11: Controlling Traffic and Switch Access 187
Hide quick links:
Advertisement
Table of Contents
