Contents. Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

Transcription

1 Contents Topic 1: Analogy... 2 Analogy: Network Traffic... 2 Topic 2: Module Introduction... 4 Topic 3: Layer 2 and Switch Basics... 5 Layer 2 Technology: Ethernet... 5 Layer 2 Switch Operation... 7 Topic 4: Layer 2: MAC Attacks MAC Flooding Attacks MAC Spoofing Attacks Activity Mitigating MAC Attacks Topic 5: Layer 2: Address Resolution Protocol Exploitation Address Resolution Protocol ARP Spoofing Attacks Activity: Try This! Topic 6: Layer 3: Router Vulnerabilities Router Attacks and Vulnerabilities Routing Table Modification Preventing Routing Table Modification Activity: Routing Updates and MD5 Authentication Topic 7: Summary Glossary UMUC 2012 Page 1 of 34

2 Topic 1: Analogy Analogy: Network Traffic Switching and Routing Vulnerabilities Module 3 Analogy: Network Traffic Just as we use stop signs and traffic lights to safely guide vehicles along roads and highways, computer networks use their own traffic guidance systems. On a computer network, traffic is handled using routers and switches that ensure the secure and efficient exchange of data. Consider an analogy comparing vehicle traffic with data traffic. Managing Network Traffic Slide 1 Imagine you are driving and you come to an intersection with four stop signs. It takes a while to cross because everyone has to take turns, and there can be confusion. Now imagine what the traffic would be like if there were an overpass, where one of the roads went over the other. That way, no one would have to stop. This model of an overpass is a simplified way to think of a switch. Slide 2 A switch does the same thing as a hub and a bridge, but more effectively. A switch lets you add computers to your network and makes virtual connections between computers that need to "talk" to each other. As soon as the computers have finished talking to each other, the virtual connection is broken. Breaking the connection right away eliminates collisions in network traffic. The only shortcoming of a switch is that it will not keep a broadcast from tying up the communication lines. When one computer needs to find the address of another computer, it sends out a broadcast over the whole network to find the address. Each computer in the network receives the broadcast and looks to see if it is the intended recipient. The broadcast can occupy the network because none of the other computers can send a message while it is taking place. Routers solve this problem. Slide 3 Routers do everything that a switch does, but they use a different method to address the packets of information they use IP addresses. A router acts like a post office. It decides the best route that a packet can take to get to different networks. A router can divide your network into different subnetworks and contain a broadcast within a smaller area so that the whole network does not need to receive the broadcast. The router keeps your resources from being tied up with unnecessary network traffic jams. This process is like taking a city that is, your network and dividing it into neighborhoods. When the residents in one locality want to publicize a neighborhood watch meeting, they can tell UMUC 2012 Page 2 of 34

3 the post office to mail fliers only within that neighborhood so the post office does not waste resources sending notices to distant areas. A router can perform exactly this type of role, if it is so programmed. UMUC 2012 Page 3 of 34

4 Topic 2: Module Introduction In the TCP/IP model, the higher layers such as the application layer, TCP layer, and IP layer are all based on the Layer 2 (data link layer) technologies. This module provides a background on Layer 2 technologies, such as Ethernet, followed by a look at the operation of Layer 2 switches. The module also discusses Media Access Control (MAC) attacks and their mitigation, exploitation of the Address Resolution Protocol (ARP), and router (Layer 3) vulnerabilities. UMUC 2012 Page 4 of 34

5 Topic 3: Layer 2 and Switch Basics Layer 2 Technology: Ethernet Ethernet is a group of Layer 2 protocols for local area networks (LANs). Ethernet is the most predominant LAN standard. Most often, the term Ethernet is used to signify IEEE Introduction The network interface card (NIC) of a host PC, printer, or server is connected to a Layer 2 device, such as a switch or hub. The IEEE protocol specifies how a message is framed and transmitted on the Layer 1 wire by the NIC. Like all other hardware in the network, the NIC has a unique address called a Media Access Control (MAC) address. MAC addresses are 48-bit-long unique identifiers written into hardware devices by their manufacturers. These addresses are expressed as 12 hexadecimal digits and used by most Layer 2 technologies including Ethernet. An example of a MAC address is 5C-26-0A A. A user can find the MAC address of a PC by entering the command ipconfig/all in the Windows command prompt. The Ethernet Frame The Ethernet frame is used to transmit data from a source to a destination and ranges from 72 to 1,518 bytes in length. Destination/Source MAC Addresses The Destination/Source MAC Addresses field specifies the MAC addresses of the source and destination hosts. For instance, consider a network with a Host A PC and a Host B PC. The MAC addresses of Host A and Host B are A and 5A A, respectively. If Host A sends a frame to Host B, the source MAC address in the frame becomes A, Host A s MAC address. The destination MAC address becomes 5A A, or Host B s MAC address. A switch routes this frame based on the source and destination MAC addresses. UMUC 2012 Page 5 of 34

6 Type The Type field indicates the Layer 3 protocol in the Data field. For instance: If the Type field contains a value of 0x0800, the Data field contains an IP packet. If the Type field contains a value of 0x0806, the Data field contains an Address Resolution Protocol (ARP) message. UMUC 2012 Page 6 of 34

7 Topic 3: Layer 2 and Switch Basics Layer 2 Switch Operation Layer 2 devices, such as switches, route an Ethernet frame based on the source and destination MAC addresses. A switch relies on a forwarding table to forward a frame to a destination MAC address just as a router uses a routing table to forward an IP packet to a destination IP address. The forwarding table is called a MAC address table or a content addressable memory (CAM) table. This module uses the term MAC table to refer to the CAM table. Initially, the MAC table of a switch is empty; the switch does not know the MAC address of a PC, printer, or any other attached device. Consider the following example: a LAN consists of Host A with a MAC address of AAAA, Host B with a MAC address of BBBB, Host C with a MAC address of CCCC, and a switch. Note that in the real world, MAC addresses are 48 bits long; the addresses used here are shortened to simplify the example. Hosts A, B, and C are connected to the first, second, and third Ethernet ports, Fa0/1, Fa0/2, and Fa0/3, respectively. Assume that the switch s MAC table can hold only two entries. In reality, MAC tables have much larger capacities. Example Step 1 Initially, the MAC table is empty. A frame originating from Host A arrives at the first Ethernet port on the switch (Fa 0/1). Host A wants to communicate with a host whose MAC address is BBBB, the destination address in the frame. The switch inspects the source MAC address to determine whether there is already an existing entry in the table. Since the MAC table is empty, a new entry is made that records the source MAC address and the port number. By recording these details in the MAC table, the switch specifies where to send a frame when it needs to be sent to the source MAC address. UMUC 2012 Page 7 of 34

8 Step 2 Since the switch does not know where the destination MAC address BBBB is, it simply floods the frame on all active ports. In other words, the switch sends a copy of the frame to every port in the LAN, hoping that the frame will reach the destination host. In this example, the switch floods the frame on Fa 0/2 and Fa 0/3. This process is known as unknown unicast flooding. Step 3 When Host B, the intended recipient of the frame, receives the frame, it replies with a response frame. In this frame, note that the source and destination MAC addresses are reversed compared to the original frame that Host A sent. When the switch receives this frame, it tries once again to search for a match in its MAC table. Since there is no match, a new entry is added to the MAC table, recording the MAC address BBBB and the port Fa 0/2. In this example, since the MAC table can hold only two entries, it is at capacity. UMUC 2012 Page 8 of 34

9 Step 4 Once the MAC table is full, Host A sends a frame whose source address is AAAA and destination address is BBBB. The switch receives the frame and inspects the destination MAC address to check for a corresponding entry in the MAC table. Since the second entry is a match, the switch forwards the frame to port Fa 0/2 (Host B). UMUC 2012 Page 9 of 34

10 Topic 4: Layer 2: MAC Attacks MAC Flooding Attacks What Is a MAC Flooding Attack? When a switch s MAC table becomes full, the switch begins to flood frames on all active ports. In other words, when the switch begins to flood all active ports, any host on the same LAN can intercept any other frame regardless of its destination MAC address. In a flooding attack, an attacker tries to create a permanently full MAC table that will force the switch to flood (broadcast) all traffic on all active ports. The attack is launched from one of the ports on a LAN so all communication taking place on that LAN is visible to the attacker. This visibility enables the attacker to monitor all frames passed through the switch and to obtain useful, sensitive information, including the data in the frame, the MAC address, and the IP address of the victim host. Example: MAC Flooding Attack Step 1 The attacker generates a continuous set of frames with random source and destination MAC addresses using tools such as MACOF, Ettercap, or Yersinia. Since the MAC table of the switch has limited storage, it eventually runs out of space and cannot add new entries. UMUC 2012 Page 10 of 34

11 Step 2 The victim host tries to communicate with another host. Step 3 Since there is no corresponding MAC table entry for the destination host, every frame sent by the victim host will be flooded to all ports. The attacker can see all the traffic sent from the victim host. UMUC 2012 Page 11 of 34

12 Topic 4: Layer 2: MAC Attacks MAC Spoofing Attacks What Is a MAC Spoofing Attack? In a MAC spoofing attack, the attacker first identifies the MAC address of a victim host by launching a MAC flooding attack on a LAN. The attacker then generates a fake frame by entering the victim s MAC address in the source field of the fake frame. The switch receives the fake frame from the attacker s host and updates its MAC table accordingly. Example: MAC Spoofing Attack Step 1 The attacker s host performs a MAC flooding attack and obtains useful information about its neighboring hosts, such as MAC and IP addresses. The attacker crafts a frame with the source MAC address BBBB, the MAC address of Host B. Step 2 Upon receiving the attacker s frame, the switch accordingly updates its MAC table with the MAC address BBBB and its corresponding interface, Fa 0/3, which points to the attacker. UMUC 2012 Page 12 of 34

13 Step 3 The victim sends a frame with a destination MAC address of BBBB. The switch finds a match in the MAC table and forwards the frame to the attacker s host rather than to the intended host, Host B. UMUC 2012 Page 13 of 34

14 Topic 4: Layer 2: MAC Attacks Activity You will now be presented with a few questions based on Layer 2 and MAC attacks. Question 1: On what basis do Layer 2 devices such as switches route Ethernet frames? a. Layer 2 devices route Ethernet frames based on IP addresses. b. Layer 2 devices route Ethernet frames based on MAC addresses. c. Layer 2 devices route Ethernet frames based on the IP address table. Correct answer: Option b Feedback: Layer 2 devices such as switches route Ethernet frames based on the source and destination MAC addresses. A switch relies on a MAC table to forward a frame to a destination MAC address, just as a router uses a routing table to forward an IP packet to a destination IP address. Question 2: Which of the following scenarios describes unknown unicast flooding? a. A switch flooding an Ethernet frame on all active ports when it cannot locate a source MAC address b. A switch attempting to make additional entries in a MAC table that is at capacity c. A switch flooding an Ethernet frame on all active ports when it cannot locate a destination MAC address d. Ethernet frames being sent without a destination MAC address Correct answer: Option c Feedback: In unknown unicast flooding, when a switch cannot locate a particular destination MAC address, it will simply flood an Ethernet frame on all active ports, hoping that the frame will reach the destination host. Question 3: Which of the following statements describes a MAC flooding attack? a. An attacker tries to create a permanently full MAC table that will force a switch to flood traffic on all active ports. b. An attacker attempts to inject fake or misleading MAC addresses into a MAC table. c. An attacker generates a fake frame by entering the victim s MAC address in the source field of the fake frame. Correct answer: Option a Feedback: In a MAC flooding attack, an attacker tries to create a permanently full MAC table that forces the switch to flood all traffic on all active ports. The attack is launched from one of the ports on a LAN so all communication taking place on that LAN is visible to the attacker. This visibility enables the attacker to monitor all frames passed through the switch and obtain useful information. UMUC 2012 Page 14 of 34

15 Topic 4: Layer 2: MAC Attacks Mitigating MAC Attacks Some common ways to prevent or mitigate MAC flooding and spoofing attacks include implementing measures such as port security and unicast flood protection. Port Security Port security ties a given MAC address to a port by preventing any MAC addresses other than the preconfigured ones from showing up on a secure port. Upon detection of an invalid MAC address, the switch can be configured to block only the offending MAC or to simply shut down the port. For instance, in a Cisco switch, you can assign a secure MAC address to a secure port using the command, (config-if) switchport port-security mac-address 001E.1345.AE32. If an attacker s machine sends a frame with a source MAC address other than 001E.1345.AE32 to the securely configured port, the switch will block or shut down the port. Port security prevents MAC flooding and spoofing attacks. Unicast Flood Protection A switch floods an incoming frame on all active ports if it cannot find a corresponding entry in the MAC table or if the MAC table is full. The unicast flood protection feature allows a system administrator to set a limit on the number of unicast floods. When flood protection detects unknown unicast floods exceeding the predefined limit, it sends an alert and shuts down the port that is generating the floods. UMUC 2012 Page 15 of 34

16 Topic 5: Layer 2: Address Resolution Protocol Exploitation Address Resolution Protocol Address Resolution Protocol (ARP) is a protocol used to find the MAC address of a host when the IP address of the host is known. How Does ARP Work? Consider an example to see how ARP works. Assume that Host A, with the IP address /24, needs to send a frame to a destination host with the IP address of /24. To send the frame, Host A needs to know the MAC address of the destination host. By comparing its own IP address with the destination host s IP address, Host A knows that the destination host is part of the same LAN as itself. Host A sends an Ethernet broadcast frame. Note that the standard address for Ethernet broadcasts is FFFF.FFFF.FFFF. Upon receiving the broadcast frame, the switch floods the frame on all ports in the LAN, and all the hosts in the LAN receive this broadcast frame. This broadcast frame is known as an ARP request. Host B and Host C receive the ARP request from Host A. Host C sends a solicited ARP reply to Host A. The ARP reply contains Host C s MAC address and IP address. Upon receiving the ARP reply, Host A knows the MAC address of the host whose corresponding IP address is UMUC 2012 Page 16 of 34

17 What Is Gratuitous ARP? Consider an example to understand Gratuitous ARP. Sending a Gratuitous ARP means sending an ARP reply when no ARP request has been made. Host C sends an unsolicited ARP reply to the broadcast address FFFF.FFFF.FFFF to tell its neighboring hosts in the LAN that its MAC address is CCCC. UMUC 2012 Page 17 of 34

18 Topic 5: Layer 2: Address Resolution Protocol Exploitation ARP Spoofing Attacks An ARP spoofing attack, also known as ARP poisoning, enables an attacker to sniff out all IP packets sent to the target host. Consider an example of how an ARP spoofing attack is carried out. Step 1 The attack is initiated by a host with the IP address The attacker s host machine sends a fake Gratuitous ARP to Host A. The fake Gratuitous ARP tells Host A that is tied to the MAC address of BBBB. Note that is actually tied to Host C, not the attacker. Upon receiving the ARP request, Host A adds a new entry to its ARP table, correlating the MAC address BBBB with the IP address Step 2 As seen with the frame sent by Host A, all the IP packets intended for Host C are sent to the attacker s MAC address. This is because Host A believes that Host C s MAC address is BBBB, which is actually the attacker s MAC address. UMUC 2012 Page 18 of 34

19 Step 3 As soon as the attacker receives the packet from Host A, it masquerades as Host C by sending an acknowledgment packet back to Host A. Step 4 The attacker forwards the packet originally sent by Host A to Host C. Host C believes that this packet is from Host A. The attacker has achieved its goal, which is to intercept and read, or sniff, the packet originating from Host A. UMUC 2012 Page 19 of 34

20 Topic 5: Layer 2: Address Resolution Protocol Exploitation Activity: Try This! Consider an example of a network with an attacker and two hosts, as shown here in Diagram A and Diagram B. After the attacker s host sends a fake Gratuitous ARP to Host A in Diagram A, and Step 1 and Step 2 are completed in Diagram B, which of the following options would correctly reflect the values in the switch s MAC table? Assume that the MAC table is initially empty. Diagram A Diagram B UMUC 2012 Page 20 of 34

21 a. MAC Address Interface 1. AAAA Fa 0/1 2. BBBB Fa 0/2 b. MAC Address Interface 1. BBBB Fa 0/2 2. AAAA Fa 0/1 c. MAC Address Interface 1. BBBB Fa 0/2 2. CCCC Fa 0/3 Correct answer: Option b Feedback: The source MAC address of the Gratuitous ARP frame sent to Host A is BBBB. This frame originates from the attacker s host and is forwarded to switch port Fa0/2. Therefore, the first line in the MAC table is filled with BBBB as the MAC address and Fa0/2 as the interface. When Host A sends an IP packet intended for Host C (Step1 in Diagram B), the source MAC address of the frame is AAAA and that frame is sent to switch port Fa 0/1. As a result, the second line of the MAC table contains AAAA as the MAC address and Fa 0/1 as the interface. UMUC 2012 Page 21 of 34

22 Topic 6: Layer 3: Router Vulnerabilities Router Attacks and Vulnerabilities A router is a network device that routes IP packets across computer networks. Since a router deals with IP packets, it is a Layer 3 device. When a packet arrives at a router, the router inspects the IP header of the packet. Based on the destination and source IP addresses, the router decides to which network device it will forward the packet. Routers are prone to various types of attacks. Routing Table Modification Routing table modification, also known as a rerouting attack, is a common vulnerability unique to routers. This attack involves manipulating router updates to route traffic to unwanted destinations. Other Common Attacks Other common router attacks include: Accessing and exploiting vulnerabilities: An attacker may exploit known vulnerabilities in running services such as Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), and Dynamic Host Configuration Protocol (DHCP), or through brute force password guessing. An attacker may also attempt to exploit known vulnerabilities in the router s operating software or protocols. Launching denial of service (DoS) attacks: An attacker may perform various types of DoS attacks. UMUC 2012 Page 22 of 34

23 Topic 6: Layer 3: Router Vulnerabilities Routing Table Modification Routers exchange information with each other to build their own routing tables. Attackers use this act of exchanging information as an opportunity to destabilize or damage networks. Introduction Dynamic routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) help determine the path of a packet through a network without having to manually configure it. Routers build routing tables by exchanging routing information with each other. When a packet arrives at a router, it routes the packet based on this table. Attackers try to inject bogus entries into routing tables in an attempt to compromise network stability. If a routing table is inaccurate, packets could end up being dropped as they are routed to invalid destinations. This significantly decreases the stability of the network. Example: Routing Table Modification As seen in this diagram, if a router uses the RIP version 1 routing protocol that does not implement authentication or is not correctly configured, an attacker can send false routing update packets to contaminate the routing table. Without security measures in place, routers send routing updates in clear text. This enables an attacker to masquerade as a trusted neighbor, send a bogus routing update, and pollute the routing table. UMUC 2012 Page 23 of 34

24 Topic 6: Layer 3: Router Vulnerabilities Preventing Routing Table Modification Introduction Network administrators can use routing protocols with authentication to prevent attacks based on unauthorized routing changes. Authenticated router updates ensure that the update messages come from a legitimate source. The most commonly used form of authentication for routing protocol updates is MD5 authentication. This method is used to detect any unauthorized or false routing messages from unknown sources. All dynamic routing protocols except RIP version 1 implement MD5 authentication. Step 1 Router A uses its routing update along with the preshared key as an input to the hash function. Then the hash function produces a keyed hash. Step 2 Router A sends Router B a packet containing the keyed hash along with the routing update. Note that the routing update is clear text. UMUC 2012 Page 24 of 34

25 Step 3 Router B uses the routing update from Router A as an input to the hash function and obtains a keyed hash from the hash function. Step 4 Router B compares the keyed hash it generated on the routing update, using the preshared key, with the keyed hash received from Router A. If the two hash values match, Router B knows two things for certain: The routing update has originated from Router A (authentication). The routing update has not been modified in transit (integrity). UMUC 2012 Page 25 of 34

26 Topic 6: Layer 3: Router Vulnerabilities Activity: Routing Updates and MD5 Authentication Introduction Consider an example of a network that contains two routers: Router A and Router B. Both routers are running the dynamic routing protocol RIP version 2. Network Path Analysis The diagram shows the routing table of Router B. As seen in the diagram, the dynamic routing protocol RIP version 2 is currently running on both routers. RIP version 2 is an enhanced version of the RIP version 1 routing protocol. As is the case with any dynamic routing protocol, a router needs to send and receive routing updates to and from its neighboring routers to build a routing table. Routing Table Analysis A routing table contains multiple rows. Each row contains at least two fields: a destination address and the name of the interface where the IP packet should be routed, or the IP address of another router that will carry the IP packet on its next step through the network. For example, consider the routing table of Router B. We can interpret the line starting with R in the routing table as to reach the destination network , which is a network behind Router A, a packet must be forwarded to the interface of Router A. To build a routing table, routers must exchange their routing information with their neighboring routers. In this example, Router A has only one network, /24, attached to itself. Therefore, when Router A sends its routing update to Router B, this network address, /24, must be included in the update payload. In addition, when RIP version 2 is configured to support MD5 authentication, a keyed hash (also called keyed message digest) is also included in Router A s routing update, along with the routing update payload, which is clear text. UMUC 2012 Page 26 of 34

27 Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the developer of Cain & Abel. UMUC 2012 Page 27 of 34

28 Workspace Screenshot A Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. Screenshot B Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation. UMUC 2012 Page 28 of 34

29 Question 1: Which of these screenshots shows an MD5 authenticated routing update sent by Router A? a. Screenshot A b. Screenshot B Correct answer: Option b Feedback: The routing update in Screenshot B has an Authentication: Keyed Message Digest field. This clearly indicates that this update is sent by Router A, which supports MD5 authentication. Question 2: The keyed hash or message digest value used in the routing update is 54 ee c9 71 a1 dbea 33 ba fb 2b af 20 8a. a. True b. False Correct answer: Option a Feedback: The keyed hash or message digest value used in the routing update is54 ee c9 71 a1 dbea 33 ba fb 2b af 20 8a.In Screenshot B, you can see the Authentication: Keyed Message Digest field. In this authentication field, you can easily observe a long numerical hash value 54 ee c9 71 a1 dbea 33 ba fb 2b af 20 8a. This hash value is included in the Authentication Data Trailer field within the Authentication: Keyed Message Digest field. Review Step 1 Once again, consider the example of Router A and Router B, both of which are running RIP version 2. A keyed MD5 hash can also be cracked easily if a system administrator uses a simple password or preshared key to generate the keyed hash. To illustrate the point, assume that the password "flower" was used when configuring routers A and B for MD5 authentication. Also, assume that a packet sniffer, Cain & Abel, is being used to sniff out a routing update originating from Router A. UMUC 2012 Page 29 of 34

30 Step 2 In sniffing mode, Cain & Abel sniffs routing updates and produces an output as shown in this screenshot. The fields shown include Router, Version, Auth Type, and Last Hash. The Router field contains two IP addresses: and , which belong to routers A and B respectively, as shown previously in the network diagram. A value of 2 in the Version field indicates that RIP version 2 is running on both routers. The value MD5 in the Auth Type field implies that MD5 authentication is being used for keyed hashing. Finally, the Last Hash field shows the actual hash value being used. Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the developer of Cain & Abel. UMUC 2012 Page 30 of 34

31 Step 3 Cain & Abel is first used in sniffing mode and then as a password-cracking tool. Applying a dictionary attack, the intruder can easily identify the password flower. Reference: Cain & Abel product screenshot reprinted with permission from Massimiliano Montoro, the developer of Cain & Abel. Further Challenges Measure the performance degradation or average delay time caused by the MD5 authenticated routing update with respect to EIGRP, RIP version 2, and OSPF routing protocols. Which routing protocol will suffer most from the performance degradation as the number of routers participating in routing updates increases? UMUC 2012 Page 31 of 34

32 Topic 7: Summary We have come to the end of Module 3. The key concepts covered in this module are listed below. Ethernet is a group of Layer 2 protocols for local area network (LANs). IEEE Ethernet is the most predominant LAN standard. Layer 3 devices, such as routers, route packets based on the source and destination IP addresses. Layer 2 devices, such as switches, route an Ethernet frame based on the source and destination MAC addresses. In a MAC flooding attack, the attacker creates a permanently full MAC table that forces the switch to flood all traffic on all active ports. For a MAC spoofing attack, the attacker first needs to find the MAC address of a victim host by launching a MAC flooding attack on a LAN. The attacker can then generate a fake frame by putting the victim s MAC address in the source field of the fake frame. The switch receives the fake frame from the attacker s host and updates its MAC table accordingly. Address Resolution Protocol (ARP) is a protocol used to find the MAC address of a host, given that its IP address is known. The goal of an ARP spoofing attack is to enable the attacker to sniff out all IP packets sent to the target host. A router routes IP packets across computer networks. Routing table modification, also known as a rerouting attack, is a common vulnerability unique to routers. This attack involves manipulating router updates to route traffic to unwanted destinations. The most commonly used form of authentication for routing protocol updates is MD5 authentication. This form of authentication is used to detect any unauthorized or false routing messages from unknown sources. All dynamic routing protocols except RIP version 1 implement MD5 authentication. UMUC 2012 Page 32 of 34

33 Glossary Term Address Resolution Protocol (ARP) ARP Spoofing Attack Content Addressable Memory (CAM) Table Denial of Service (DoS) Dynamic Host Configuration Protocol (DHCP) Domain Name System (DNS) Enhanced Interior Gateway Routing Protocol (EIGRP) Ethernet Ettercap Hypertext Transfer Protocol (HTTP) Media Access Control (MAC) Address MAC Flooding Attack MACOF Definition Address Resolution Protocol (ARP) is a protocol used to find the MAC address of a host when the IP address of the host is known. An ARP spoofing attack is also known as ARP poisoning. The goal of such an attack is to enable the attacker to sniff out all IP packets sent to the target host. A switch relies on a forwarding table to forward a frame to a destination MAC address. The forwarding table is called a MAC address table or a content addressable memory (CAM) table. DoS attacks flood a target site with large volumes of traffic using zombie servers. This flood of traffic consumes all of the target site s network or system resources and denies access to legitimate users. DHCP enables servers to distribute Internet Protocol (IP) addresses and configuration data to clients in a network. The DNS translates Internet domain names such as into Internet Protocol (IP) addresses. EIGRP is an interior gateway protocol that enables efficient exchange of routing updates between routers. Ethernet is a group of Layer 2 protocols for local area network (LANs). IEEE Ethernet is the most predominant LAN standard. Usually, the term Ethernet is used to signify IEEE Ettercap is a network tool for carrying out man-in-the-middle attacks on a LAN. HTTP transmits Web pages to clients. A network interface card (NIC) has a unique address called a Media Access Control (MAC) address. MAC addresses are 48-bit long unique identifiers written into hardware devices by their manufacturers. These addresses are expressed as 12 hexadecimal digits and used by most Layer 2 technologies including Ethernet. In a MAC flooding attack, the attacker creates a permanently full MAC table that forces the switch to flood all traffic on all active ports. MACOF is a tool that can generate random MAC addresses to overload the switch of a network and access data passing through the switch. UMUC 2012 Page 33 of 34

34 Term MAC Spoofing Attack MD5 Authentication Network Interface Card (NIC) Open Shortest Path First (OSPF) Port Security Routing Information Protocol (RIP) Routing Table Modification Definition In a MAC spoofing attack, the attacker first finds the MAC address of a victim host by launching a MAC flooding attack on a LAN. The attacker can then generate a fake frame by putting the victim s MAC address in the source field of the fake frame. The switch receives the fake frame from the attacker s host and updates its MAC table accordingly. The most commonly used form of authentication for routing protocol updates is MD5 authentication. This form of authentication is used to detect any unauthorized or false routing messages from unknown sources. All dynamic routing protocols except RIP version 1 implement MD5 authentication. A network interface card is a piece of hardware that is used to connect a computer to a network. OSPF is a dynamic routing protocol that enables routers to share routes with other routers. Port security ties a given MAC address to a port by preventing any MAC addresses other than the preconfigured ones from showing up on a secure port. RIP is a dynamic routing protocol used by local area homogenous networks to ensure that all hosts in the network share the same routing path data. Routing table modification, also known as a rerouting attack, is a common vulnerability unique to routers. This attack involves manipulating router updates to route traffic to unwanted destinations. Unicast Flood Protection The unicast flood protection feature allows a system administrator to set a limit on the number of unicast floods. When flood protection detects unknown unicast floods exceeding the predefined limit, it sends an alert and shuts down the port that is generating the floods. Yersinia Yersinia is a network tool designed to exploit weaknesses in LAN-based network protocols. UMUC 2012 Page 34 of 34