MAC Table Attackes Flashcards
MAC table Attacks modus operandi
MAC address flooding attacks take advantage of this limitation by bombarding the
switch with fake source MAC addresses until the switch MAC address table is full
MAC table Attacks Expected results
The switch treats the frame as an unknown unicast and begins to flood all incoming
traffic out all ports on the same VLAN without referencing the MAC table
On some bogus switches, DOS has also been observed
MAC table Attacks Amplification
When the MAC address table of a switch is full, it starts flooding out all ports including those connected to other Layer 2 switches
MAC table attacks Mitigation
Port security features :
- Disable unused ports
- Limit the number of learnt MAC address on a port
- Adapt port Aging
- Defini an appropriate violation policy
MAC table Attacks mitigation Limit the number of learnt MAC address on a port :
Manual configuration
The administrator configures a STATIC MAC address :
Command :
Switch(config-if) # switchport port-security mac-address “mac-address”
MAC table Attacks mitigation Limit the number of learnt MAC address on a port :
Dynamically learned
Enter the command “switchport port-security”, the current source MAC for the device connected to the port is automatically secured (the port of the switch keep just the initial MAC address) but is not added to the startup configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC address
MAC table Attacks mitigation limit the number of learnt MAC address on a port :
Dynamically learned - Sticky
command :
Switch(config-if)# switchport port-security mac-address sticky
Learn the MAC address and “stick” them to the running configuration, the port will work only if the MAC address at the extremity is the good one, saving the running configuration will commit the dynamically learned MAC address to NVRAM
MAC table attacks Mitigation : Port security aging
Switch(config-if)#switchport port-security aging { static | time time | type {absolute | inactivity }}
static : Enable aging for statically configured secure addresses on this port.
time: time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is
disabled for this port.
type absolute : Set the absolute aging time. All the secure addresses on this port age out exactly after the
time (in minutes) specified and are removed from the secure address list.
type inactivity : Set the inactivity aging type. The secure addresses on this port age out only if there is no
data traffic from the secure source address for the specified time period.
MAC table attacks Mitigation : Violation policy
Switch(config-if)# switchport port-security violation { protect | restrict | shutdown }
shutdown
(default) :
The port transitions to the error-disabled state immediately, turns off the port LED,
and sends a syslog message. It increments the violation counter. When a secure
port is in the error-disabled state, an administrator must re-enable it by entering
the shutdown and no shutdown commands.
restrict :
The port drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value or
increase the maximum value. This mode causes the Security Violation counter to
increment and generates a syslog message.
protect :
This is the least secure of the security violation modes. The port drops packets with
unknown MAC source addresses until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the maximum value.
No syslog message is sent.
Discrds Offending Traffic: 1er Sends Syslog Message: 2ème Increase Violation Counter : 3ème Shuts Down Port : 4ème Protect Yes No No No Restrict Yes Yes Yes No Shutdown Yes Yes Yes Yes
