Packet Sniffing on Layer 2 Switched Local Area Networks



Similar documents
This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Packet Sniffer Detection with AntiSniff

A Research Study on Packet Sniffing Tool TCPDUMP

2. HOW PACKET SNIFFER WORKS

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

CSE 127: Computer Security. Network Security. Kirill Levchenko

Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers

Sniffing in a Switched Network

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Own your LAN with Arp Poison Routing

Wireless Security: Secure and Public Networks Kory Kirk

How To Classify A Dnet Attack

What is VLAN Routing?

co Characterizing and Tracing Packet Floods Using Cisco R

A S B

CMPT 471 Networking II

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

Linux Network Security

Security Considerations in IP Telephony Network Configuration

Lab VI Capturing and monitoring the network traffic

Security Technology White Paper

ARP Storm Detection and Prevention Measures

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

MK Certified Penetration Testing Specialist (CPTS) Exam.

Chapter 8 Security Pt 2

Security of IPv6 and DNSSEC for penetration testers

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

UPPER LAYER SWITCHING

INTRUDER DETECTION MONITORING APPLICATION USING SNMP PROTOCOL

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

CSCE 465 Computer & Network Security

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Securing end devices

TCP/IP Security Problems. History that still teaches

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Exhibit n.2: The layers of a hierarchical network

Villains and Voice Over IP

Exploring Layer 2 Network Security in Virtualized Environments. Ronny L. Bull & Jeanna N. Matthews

Figure 1. Wireshark Menu Bar

Hole196 Vulnerability in WPA2

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Network Attacks. Common Network Attacks and Exploits

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Securing the Transition Mechanisms

Microsoft Network Load Balancing and Cisco Catalyst Configuration

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

How To Understand and Configure Your Network for IntraVUE

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Internet Control Protocols Reading: Chapter 3

Network Traffic Analysis and Intrusion Detection using Packet Sniffer

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Intrusion Detection Systems: A Formal Algorithmic approach

Investigation of DHCP Packets using Wireshark

Implementing Cisco IOS Network Security

The Trivial Cisco IP Phones Compromise

Computer Networks I Laboratory Exercise 1

How to Hack Millions of Routers. Craig Heffner, Seismic LLC

BASIC ANALYSIS OF TCP/IP NETWORKS

Creating Web Farms with Linux (Linux High Availability and Scalability)

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Chapter 25 DHCP Snooping

Solutions for LAN Protection

Configuring DHCP Snooping

Protecting and controlling Virtual LANs by Linux router-firewall

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes

Transport and Network Layer

Intro to Firewalls. Summary

All You Wanted to Know About WiFi Rogue Access Points

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Configuring the Transparent or Routed Firewall

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Content Distribution Networks (CDN)

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Introduction to Network Security Lab 1 - Wireshark

Intrusion Detection, Packet Sniffing

Ethernet. Ethernet. Network Devices

IINS Implementing Cisco Network Security 3.0 (IINS)

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

WiFi Security Assessments

Cyber Threats in Physical Security Understanding and Mitigating the Risk

The IP Transmission Process. V1.4: Geoff Bennett

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Detection of Promiscuous Nodes Using ARP Packets

Attack Lab: Attacks on TCP/IP Protocols

Network Layers. CSC358 - Introduction to Computer Networks

Transcription:

Packet Sniffing on Layer 2 Switched Local Area Networks Ryan Spangler ryan@packetwatch.net Packetwatch Research http://www.packetwatch.net December 2003 Abstract Packet sniffing is a technique of monitoring network traffic. It is effective on both switched and nonswitched networks. This paper discusses several methods that result in packet sniffing on Layer 2 switched networks. Each of the sniffing methods will be explained in detail. The purpose of the paper is to show how sniffing can be accomplished on switched networks, and to understand how it can be prevented.

i Table of Contents 1.0 Introduction...1 2.0 Attacks...1 2.1 ARP Cache Poisoning...1 2.2 CAM Table Flooding...2 2.3 Switch Port Stealing...2 3.0 Defenses...3 4.0 Summary...4 5.0 References...5

1 1.0 Introduction Packet sniffing is a technique of monitoring network traffic. It is effective on both switched and nonswitched networks. In a non-switched network environment packet sniffing is an easy thing to do. This is because network traffic is sent to a hub which broadcasts it to everyone. Switched networks are completely different in the way they operate. Switches work by sending traffic to the destination host only. This happens because switches have CAM tables. These tables store information like MAC addresses, switch ports, and VLAN information [1]. Before sending traffic from one host to another on the same local area network, the host ARP cache is first checked. The ARP cache is a table that stores both Layer 2 (MAC) addresses and Layer 3 (IP) addresses of hosts on the local network. If the destination host isn t in the ARP cache, the source host sends a broadcast ARP request looking for the host. When the host replies, the traffic can be sent to it. The traffic goes from the source host to the switch, and then directly to the destination host. This description shows that traffic isn t broadcast out to every host, but only to the destination host, therefore it s harder to sniff traffic. This paper discusses several methods that result in packet sniffing on Layer 2 switched networks. Each of the sniffing methods will be explained in detail. The purpose of the paper is to show how sniffing can be accomplished on switched networks, and to understand how it can be prevented. 2.0 Attacks This paper shows that several attacks are available to sniff layer 2 switched networks. These attacks that result in sniffing are: ARP cache poisoning, CAM table flooding, and switch port stealing. Each attack will be explained in detail. 2.1 ARP Cache Poisoning This attack uses Address Resolution Protocol (ARP) spoofing to sniff traffic between hosts. ARP spoofing is possible because of the exploitation of gratuitous ARP. Gratuitous ARP is when an ARP reply is sent without first receiving an ARP request [2]. ARP cache poisoning works by poisoning the ARP cache of the target hosts [3]. The attacker wanting to sniff the traffic essentially inserts his computer between the target hosts and forwards traffic back and forth between computers. The way the attack works will be explained below (see Figure 1).

2 Figure 1: ARP Cache Poisoning The attack starts by having the attacker send a forged gratuitous ARP packet with host B s IP address and the attackers MAC address to host A. The attacker also sends a forged gratuitous ARP packet with host A s IP address and the attackers MAC address to host B. Now, all of host A and host B s traffic will go to the attacker, where it can be sniffed, instead of directly to each other. 2.2 CAM Table Flooding This attack uses MAC flooding to sniff traffic on the local area network. Content Addressable Memory (CAM) table flooding works by flooding the CAM table. CAM tables store information like MAC addresses, and switch ports, along with their VLAN information. CAM tables have fixed sizes, so they can only store a certain number of entries. The user wanting to sniff the traffic floods the switch with MAC addresses until the CAM table is full, at which point the switch starts to broadcast the traffic [4]. The attack starts by having the attacker flood the network with forged gratuitous ARP packets that each contains unique source MAC addresses. This causes some switches to go into a hub-like mode forwarding all traffic to all ports. What happens is that once the CAM table is full, the traffic without a CAM entry floods on the local VLAN. The already existing traffic with existing entries in the CAM table will not be forwarded out on all of the ports. Now, with the traffic being broadcasted to everyone, there will be no trouble sniffing it. 2.3 Switch Port Stealing This attack uses MAC flooding to sniff traffic between two hosts. Switch port stealing works by stealing the switches port of the target host. Switches learn to bind MAC addresses to each port by seeing the source MAC addresses in the packets that arrive from each port. The user wanting to sniff the traffic steals the switches port to the target host so the traffic will go through it first, then to the target host [5]. The way the attack works will be explained below (see Figure 2).

3 Figure 2: Switch Port Stealing The attack starts by having the attacker flood the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC address being that of the attacker. The flooding process described here is different than the flooding process used in CAM table flooding. Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the network. Now, a race condition exists because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to the attacker s switch port and not the target host. The attacker has now stolen the target hosts switch port. When a packet arrives to the attacker, the attacker performs an ARP request asking for the target hosts IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the target hosts switch port has been restored to its original binding. Now, the attacker can sniff the packet, then forward it to the target host and restart the flooding process waiting for new packets. 3.0 Defenses There are several ways to mitigate these packet sniffing attacks. The first of these actions is to enable port security on the switch. Port security is a feature found on high-end switches that ties a physical port to a MAC address. This allows you to either specify one or more MAC addresses for each port, or learn a certain number of MAC addresses per port. A change in the specified MAC address for a port or flooding of a port can be controlled in many different ways through switch administration.

4 An important fact to know is that port security capabilities are dependant on the platform meaning that different switch manufacturers have different capabilities. The second way to mitigate sniffing is through the use of static ARP entries. Static ARP entries are permanent entries that won t time out from the ARP cache [2]. This method does have a drawback though. Administrators have to create new entries on every host on the network every time a new host is connected, or when a network card is replaced. The final method of defense is through detection. Intrusion detection systems can be configured to listen for high amounts of ARP traffic. There are also tools specifically designed to listen for ARP replies on networks [6]. This method is prone to reporting false positives though. It should be remembered that detection is always an important step in mitigation. 4.0 Summary Switched networks are designed to allow computers to communicate more effectively with other local computers. Switches were never intended to be used as security features, as they are today. They are designed to increase the efficiency of available bandwidth on networks. This is accomplished by sending traffic to only the intended destination. Because of this sniffing is harder to do on switched networks. Vulnerabilities found in modern networking protocols have lead to several methods of sniffing though. Fortunately, there are several methods of prevention.

5 5.0 References [1] S. Convery, Hacking Layer 2: Fun with Ethernet Switches, Blackhat [Online Document], 2002, Available HTTP: http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-converyswitches.pdf [2] W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994. [3] http://ettercap.sourceforge.net/ [4] http://www.monkey.org/~dugsong/dsniff/ [5] A. Ornaghi, M. Valleri, Man in the middle attacks Demos Blackhat [Online Document], 2003, Available HTTP: http://www.blackhat.com/presentations/bh-usa-03/bh-usa-03-ornaghi-valleri.pdf [6] S. Whalen, An Introduction to ARP Spoofing, Node99 [Online Document], April 2001, Available HTTP: http://www.node99.org/projects/arpspoof/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information