LAN Security

Network Attacks
• Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called zombies, with
the intention of degrading or halting public access to an organization’s website and resources.

• Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to steal
confidential information.

• Malware – This is an attack in which an organization’s hosts are infected with malicious software that cause a
variety of problems. For example, ransomware such as WannaCry encrypts the data on a host and locks
access to it until a ransom is paid.
 Switch Attack Categories
• MAC Table Attacks
• VLAN Attacks
• DHCP Attacks
• ARP Attacks
• Address Spoofing Attacks
• STP Attacks
 MAC Table Attacks
MAC Address Table Flooding
All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store MAC addresses. MAC
address flooding attacks take advantage of this limitation by bombarding the switch with fake source MAC addresses until the
switch MAC address table is full.
 Mitigate MAC Address Table Attacks

▪ Port Security

▪ Secure Unused Ports

Secure Unused Ports
Disable all unused ports
SW1(config)#interface range fastEthernet 0/15 -24
SW1(config-if-range)#shutdown

Note: The port protocol and link status are changed to down and the port LED is
turned off.
Implement Port Security

It means blocking unknown person login to the switch by default the MAC address will be dynamically appear on your
database which can stop by on your port-security.

Sw1(config)#interface fastEthernet 0/1 Verify configurations

Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security Sw1#show port-security
Sw1(config-if)#switchport port-security maximum 2 Sw1# show port-security address
Sw1(config-if)#switchport port-security mac-address sticky Sw1#show port-security interface fastEthernet 0/1
Sw1(config-if)#switchport port-security violation shutdown

There 3 violations are

1. Shutdown : It put the port into error –disable state.
2. Restrict : Ignores all the traffic interface and count the violation.
3. Protect : Ignores all the traffic interface and doesn’t count the violation.
 VLAN Attacks
VLAN Hopping Attacks
• A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a router.
In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take advantage of the
automatic trunking port feature enabled by default on most switch ports.

A VLAN hopping attack can be launched in one of three ways:

• Spoofing DTP messages
• Rogue switch and enabling trunking
• VLAN Double-Tagging Attacks
Spoofing DTP messages

• Spoofing DTP massages from attacking host to cause the switch to enter trunking mode
Rogue switch and enabling trunking

• Introducing a rough switch and turning trunking on.

VLAN Double-Tagging Attacks
A threat actor is specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag.
This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.

• An attacker is on VLAN 10.They tag a frame for VLAN 10 and insert and additional tag for VLAN 20
• The first switch strips off the first tag and does not retag it. Because native traffic is not retagged. It then forwards
the frame to the next switch.
• The second switch examines the frame see the VLAN 20 tag and forward it. Accordingly.
 Mitigate VLAN Attacks
• Disable DTP (auto trunking) negotiations on non-trunking ports
• Disable unused ports
• Manually enable the trunk
• Disable DTP (auto trunking) negotiations on trunking ports
• Set the native VLAN to a VLAN other
Disable DTP (auto trunking) negotiations on non-trunking ports

SW1(config)#interface fastEthernet 0/1

SW1(config-if)#switchport mode access

Disable unused ports

SW1(config)#interface range fastEthernet 0/15 -24
SW1(config-if-range)#shutdown

Manually enable the trunk link

SW1(config)#interface fastEthernet 0/10
SW1(config-if)#switchport mode trunk
Disable DTP (auto trunking) negotiations on trunking ports

SW1(config-if)#switchport mode trunk

SW1(config-if)#switchport nonegotiate

Note :
The interface which is configured as DTP dynamic desirable mode will generate DTP messages on the interface.
If the switch receive DTP messages from the other side switch, it will assume that other side port is capable for handling tagged frames and a trunk link will be
formed between two switches.

Set the native VLAN to a VLAN other than VLAN 1

SW1(config)#vlan 999
SW1(config-vlan)#name NATIVE
SW1(config-vlan)#exit

SW1(config)#interface fastEthernet 0/1

SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk native vlan 999
 DHCP Attacks
DHCP Starvation Attack
An attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP
server can issue.
After these IP addresses are issued, the server cannot issue any more addresses, and this situation produces a
denial-of-service (DoS) attack as new clients cannot obtain network access.

yersinia on Kali Linux

DHCP Spoofing Attack
This occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to
legitimate clients. A rogue server can provide a variety of misleading information, including the following:

• Wrong default gateway - The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-
middle attack. This may go entirely undetected as the intruder intercepts the data flow through
the network.
• Wrong DNS server - The rogue server provides an incorrect DNS server address pointing the user to a nefarious
website.
• Wrong IP address - The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP
client.
 Mitigate DHCP Attacks
• DHCP starvation attack
• Implement DHCP Snooping
Mitigate DHCP starvation attack

Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler uses a
unique source MAC address for each DHCP request sent. However, mitigating DHCP spoofing attacks requires more
protection.
Mitigate DHCP Snooping attack
❑ Devices under administrative control (e.g., switches, routers, and servers) are trusted sources.

❑ Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted.

❑ Devices outside the network and all access ports are generally treated as untrusted sources.
SW1(config)#ip dhcp snooping
SW1(config)#interface fastEthernet 0/1
SW1(config-if)#ip dhcp snooping trust
SW1(config-if)#exit
SW1(config)#interface range fastEthernet 0/5 -24
SW1(config-if-range)#ip dhcp snooping limit rate 6 Rate limited to six packets
per second.
SW1(config-if)#exit
SW1(config)#ip dhcp snooping vlan 1

Verify Configuration

SW1#show ip dhcp snooping

SW1#show ip dhcp snooping binding
 ARP Attacks
IP address spoofing is when a threat actor hijacks a valid IP address of another device on the subnet or uses a
random IP address. IP address spoofing is difficult to mitigate, especially when it is used inside a subnet in which
the IP belongs.
ARP spoofing
A hacker sends fake ARP packets that link an attacker's MAC address with an IP of a computer
already on the LAN.
ARP Poisoning
After a successful ARP spoofing, a hacker changes the company's ARP table, so it contains falsified MAC maps.
The contagion spreads.
 Mitigate ARP Attacks
• Dynamic ARP Inspection
Dynamic ARP Inspection
A threat actor can send unsolicited ARP requests to other hosts on the subnet with the MAC Address of the threat actor and
the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that
only valid ARP Requests and Replies are relayed.

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 1
Switch(config)#ip arp inspection vlan 1

SW1(config)#interface range fastEthernet 0/1 - 2

SW1(config-if-range)#ip dhcp snooping trust
SW1(config-if-range)#ip arp inspection trust

Verify Dynamic ARP Inspection

SW1#show ip dhcp snooping binding

SW1#show ip arp inspection
SW1#show ip dhcp snooping

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected
to other switches as trusted.
 STP Attack
• An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an
STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out
announces that the attacker's system has a lower bridge priority.
 Mitigate STP Attacks
• PortFast
• BPDU Guard
Configure PortFast
▪ PortFast immediately brings a port to the forwarding state from a blocking state, bypassing the
listening and learning states.
▪ Apply to all end-user access ports.
▪ Only enable PortFast on access ports.

configuration On an interface
SW1(config)#interface fastEthernet 0/10
SW1(config-if)#switchport mode access
SW1(config-if)#spanning-tree portfast
To verify PortFast configuration on globally

Configuration on Globally show running-config | begin span

show spanning-tree summary
SW1(config)#spanning-tree portfast default
To verify PortFast configuration an interface
SW1#show running-config interface fastEthernet 0/10
SW1#spanning-tree interface fastEthernet 0/10 detail
Configure BPDU Guard
An access port could receive an unexpected BPDUs accidentally or because a user connected an
unauthorized switch to the access port.
▪ If a BPDU is received on a BPDU Guard enabled access port, the port is put into error-disabled state.
▪ The port is shut down and must be manually re-enabled.

Configuration On an interface
SW1(config)#interface fastEthernet 0/10
SW1(config-if)#spanning-tree bpduguard enable

Configuration on Globally
SW1(config)#spanning-tree portfast bpduguard default To verify spanning-tree configuration
SW1#show spanning-tree summary