Attacks and Mitigation Techniques

Common LAN Attacks

• Common security solutions using routers,

Firewalls, Intrusion Prevention Systems
(IPSs), and VPN devices protect Layer 3
up through Layer 7.
• Layer 2 must also be protected.
• Common Layer 2 attacks include:
• MAC Address Table Flooding Attack
• DHCP Attacks
• CDP Reconnaissance Attack
• Telnet Attacks
• VLAN Attacks
Source :
http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_
Security_and_Monitoring.pdf.
https://drive.google.com/drive/folders/1aXNR1Zfr44
dZcZOTVPoiVaWYOnlgqaZt
 Secure the LAN

• Strategies to secure Layer 2 of a network: IP Source Guard (IPSG)

prevents MAC and IP
• Always use secure variants of address spoofing.
protocols such as SSH, SCP, and SSL.
• Use strong passwords and change
often. Dynamic ARP Inspection
• Enable CDP on select ports only. (DAI) prevents ARP
• Use a dedicated management VLAN. spoofing and poisoning.
• Use ACLs to filter unwanted access. DHCP snooping
prevents DHCP
starvation and
spoofing.

Source :
http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and
Port Security prevents many attacks including MAC
_Monitoring.pdf
Address Flooding and DHCP Starvation.
https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoi
VaWYOnlgqaZt
 MAC Address Flooding Attack/
Content Addressable Memory (CAM) Table Flooding Attack

• It is a type of network attack where an attacker connected to a switch port floods the
switch interface with very large number of Ethernet frames with different fake
source MAC address.

• In a typical MAC flooding Attack, a switch is fed many Ethernet frames, each containing
different source MAC addresses, by the attacker. The intention is to consume the
limited memory set aside in the switch to store the MAC Address Table.

• After launching a successful MAC flooding attack, a malicious user can use a packet
analyzer to capture sensitive data being transmitted between other computers, which
would not be accessible were the switch operating normally.
 MAC Address Review
48 Bit Hexadecimal (Base16) Unique Layer Two Address

1234.5678.9ABC
First 24 bits = Manufacture Code Second 24 bits = Specific Interface,
Assigned by IEEE Assigned by Manufacture
0000.0cXX.XXXX XXXX.XX00.0001
All F’s = Broadcast
FFFF.FFFF.FFFF

Content Addressable Memory (CAM) Table Review

• The CAM Table stores information such as MAC addresses available on physical
ports with their associated VLAN parameters.
• CAM Tables have a fixed size.
Source: https://meetings.apnic.net/29/pdf/Layer-2-Attacks-and-Mitigation-Techniques-Tutorial_Yusuf-Bhaiji.pdf
 CAM Table Operation
PC-A pings 192.168.1.11 Eventually the CAM Table is complete

Port MAC VLAN

Fa0/1 000a.f38e.74b3 1
Fa0/2 00db.ba07.8499 1
Fa0/3 0090.0c23.ceca 1
Fa0/4 0001.9717.22e0 1

S1#
S1# show
show mac-address-table
mac-address-table
Mac
Mac Address
Address Table
Table
-------------------------------------------
-------------------------------------------

Vlan
Vlan Mac
Mac Address
Address Type
Type Ports
Ports
----
---- -----------
----------- --------
-------- -----
-----

S1#1 0001.9717.22e0
000a.f38e.74b3 DYNAMIC Fa0/4
Fa0/1
1 00d0.ba07.8499
000a.f38e.74b3 DYNAMIC Fa0/2
Fa0/1
1 0090.0c23.ceca DYNAMIC Fa0/3
S1#1 00d0.ba07.8499 DYNAMIC Fa0/2
S1#

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 CAM Table Attack Solution: Port Security

Bogus MAC addresses are added to the

CAM table which eventually becomes
full.
Intruder runs macof to begin sending
MAC U
V
X
Y
TZS bogus MAC addresses.
Flood
The intruder now sees frames
intended for server 2 and 4.
Port MAC VLAN
Fa0/25 T 1 Legitimate frames going to Macof can flood a switch with up to
Fa0/25 U 1
server 2 and 4 are now 8,000 bogus frames per second;
Fa0/25 V 1
flooded out all ports creating a CAM table overflow attack
Fa0/25 X 1

Fa0/25 Y 1 including Fa0/25. in a matter of a few seconds.

Fa0/25 Z 1

Fa0/25 … 1

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 MAC Address Table
Flooding Attack

• Common LAN switch attack is the MAC Address Table Flooding attack.
• An attacker sends fake source MAC addresses until the switch MAC Address Table is full and the switch is
overwhelmed.
• Switch is then in Fail-Open mode and broadcasts all frames, allowing the attacker to capture those frames.
• Configure Port Security to mitigate these attacks.
Source : http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf
 Mitigate MAC Address Flooding Table Attacks

• Enable port security to prevent MAC Address Flooding Attacks.

• Port security allows an administrator to do the following:
• statically specify MAC addresses for a port.
• permit the switch to dynamically learn a limited number of MAC addresses.
• when the maximum number of MAC addresses is reached, any additional attempts to connect by
unknown MAC addresses will generate a security violation.
Source : http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf
 How to launch MAC Address Flooding Attack/
Content Addressable Memory (CAM) Table Flooding Attack ?
 MAC Address Flooding Attack with macof
• Macof sends random source MAC and IP addresses
• macof (part of dsniff) — http://monkey.org/~dugsong/dsniff/
• Syntax: macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]

-i interface Specify the interface to send on.

-s src Specify source IP address.
-d dst Specify destination IP address.
-e Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.
Source: https://kalilinuxtutorials.com/macof/
Example-1 : macof -i etho -n 30
Example-2 : macof -i etho -n 30 –d 10.100.55.215
 DHCP Attacks

• DHCP Spoofing Attack - An attacker

configures a fake DHCP server on the network
to issue IP addresses to clients.
• DHCP Starvation Attack - An attacker floods
the DHCP server with bogus DHCP requests
and leases all of the available IP addresses. This
results in a Denial of Service (DoS) attack as
new clients cannot obtain an IP address.
• Methods to mitigate DHCP attacks:
• Configure DHCP snooping
• Configure port security

Source:
https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf
 Mitigate DHCP Attacks

• To prevent DHCP attacks use DHCP snooping.

• With DHCP snooping enabled on an interface, the switch will deny packets containing:
• Unauthorized DHCP server messages coming from an untrusted port.
• Unauthorized DHCP client messages not adhering to the DHCP Snooping Binding Database or
rate limits.
• DHCP snooping recognizes two types of ports:
• Trusted DHCP ports - Only ports connecting to upstream DHCP servers should be trusted.
• Untrusted ports - These ports connect to hosts that should not be providing DHCP server
messages.
Source: http://vapenik.s.cnl.sk/pcsiete/CCNA4/05_Network_Security_and_Monitoring.pdf
DHCP is a Network Protocol used to Automatically assign IP Information

DHCPDISCOVER
Broadcast

DHCPOFFER IP address: 192.168.10.15

Unicast Subnet mask: 255.255.255.0
Default Gateway: 192.168.10.1
Lease time: 3 days
DHCPREQUEST
Broadcast

DHCPACK
Unicast

Two types of DHCP attacks are:

• DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to clients.
• DHCP starvation: Attack denies service to the legitimate DHCP server.
Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 DHCP Spoofing Attack
DHCP
Server

Discover
DHCP Discover

DHCP
Discover
Discover

DHCP
DHCP

Attacker Connects
Rogue DHCP Server
Client Broadcasts

Discover
DHCP
Discover

DHCP Discovery
DHCP

Messages

DHCP Rogue DHCP

Server
Client

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 DHCP Spoofing Attack Contd.
DHCP
Server

DHCP Offer
DHCP Offer
Legitimate and Rogue
DHCP Reply
DHCP Offer
DHCP Offer

DHCP Offer
DHCP Rogue DHCP
Client Server

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 DHCP Spoofing Attack Contd.
DHCP Server

Request
DHCP
DHCP Request

Request
DHCP
Request
DHCP

Client Accepts Rogue

DHCP Offer

Request
DHCP
Request
DHCP

DHCP Client Rogue DHCP Server

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 • This creates a “man-in-the-middle” attack and can go
entirely undetected as the intruder intercepts the data
DHCP Spoofing Attack Contd. flow through the network.
DHCP
Server

DHCP Ack
DHCP Ack

DHCP Ack
Rogue Acknowledges
DHCP Rogue DHCP
Client Server

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 DHCP Starvation Attack

DHCP
DHCP
DHCP Discovery
Request
Ack
DHCP XXX(size
OfferX (size
(size
(size of
of scope)
ofscope)
of scope)
scope)
DHCP
Server

DHCP
DHCPserver offers
Server parameters all Requests
Acknowledges
Attacker initiates a DHCP
Attacker Requests all Offers
starvation attack

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 Solution: Configure DHCP Snooping
• DHCP snooping is a Cisco Catalyst feature that determines which switch ports can
respond to DHCP requests.

• Ports are identified as:

• Trusted ports: Host a DHCP server or can be an uplink toward the DHCP server and
can source all DHCP messages, including DHCP offer and DHCP acknowledgement
packets
• Untrusted ports: Can source requests only.

• If a rogue device on an untrusted port attempts to send a DHCP offer packet into the
network, the port is shut down.

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
 Solution: Configure DHCP Snooping Contd.
T Trusted port DHCP
Server
U Untrusted port

T
T

T T T T

Source: U U
https://drive.google.com/drive/folders/
1aXNR1Zfr44dZcZOTVPoiVaWYOn
lgqaZt
DHCP Rogue DHCP
Client Server
 Switched Port Analyzer (SPAN and RSPAN)

• Network traffic passing through ports or VLANs can be analyzed by using Switched
Port Analyzer (SPAN) or Remote SPAN (RSPAN).
• SPAN can send a copy of traffic from one port to another port on the same switch
where a network analyzer or monitoring device is connected.
• RSPAN can send a copy of traffic to a port on a different switch.

• SPAN is commonly deployed when an Intrusion Detection System(IDS)/Intrusion

Prevention System (IPS)is added to a network.
• IPS devices need to read all packets in one or more VLANs, and SPAN can be
used to get the packets to the IPS devices.

Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt

SPAN Terminology
Ingress Traffic
• Traffic that enters the switch.
Destination (SPAN) Port
• A port that monitors source ports,
usually where a packet analyzer or
Intrusion Preventions System is
connected.
Source: https://drive.google.com/drive/folders/1aXNR1Zfr44dZcZOTVPoiVaWYOnlgqaZt
Source (SPAN) Port
• A port that is monitored with use of the SPAN feature.
• Can be a Layer 2 or Layer 3 port (including VLAN).
Egress Traffic
• Traffic that leaves the switch.
SPAN Session
• The association between Source Port (or
VLAN) and a Destination Port (or VLAN).
 Remote Switched Port Analyzer (RSPAN)

• RSPAN can copy traffic from ports or VLANs on one switch (i.e., source switch) to a
port on a different switch (i.e., destination switch).

• A VLAN must be designated as the RSPAN VLAN and not be used for any other
purposes.

Note:
• SPAN and RSPAN vary by switching platforms.
 What is Scanning?
• Method to gather information regarding the devices running on the network
• Typically to discover services or servers on a network
• Which hosts are up?
• Which services are offering?
• Do not confuse with “host vulnerability scanner” which further explore a computer by
testing for common vulnerabilities (nessus, SAINT)
Why Scanning?
• Network Security assessment
• Evaluation and Auditing the security
• Firewall Penetration Test (Policy Auditing)
• Intrusion Detection System Proof/Evaluation
• Identifying Unexpected New Servers
• Identifying open ports for proactively protect the network (Network and security admin)
• Identifying open ports for Attacking it (Hackers).
 Nmap
• A well known and free security scanner written by Fyodor (http://insecure.org/nmap/)
• First released Sept 1, 1997 in Phrack 51 “The Art of Port Scanning”
(http://www.phrack.org/issues.html?issue=51
• Many updates since then:
• OS Detection (http://www.phrack.org/issues.html?issue=54&id=9#article)
• Version scanning
• ARP Scanning

• Usage : nmap [scan types] [options] <host or net …>

Why Nmap?
• An Excellent Tool
• Long history of development and support
• Continuous development and improvements
• “Industry Standard” port scanner
 Nmap Features
• Host Discovery: Which host is alive?
• Identifying computers on a network, for example listing the computers which
respond to pings (Ping Sweeps)

• Port Scanning : What services are available?

• Enumerating the open ports on one or more target computers

• Service and Version Detection : Which version is running?

• Determine the application name and version number

• Operating System: What platforms are served?

• Remotely determining the OS and some hardware characteristics of network
devices
 Nmap Scan Types

Source : Secrets of Network Cartography: A Comprehensive Guide to nmap

Source : Secrets of Network Cartography: A Comprehensive Guide to nmap
Source : Secrets of Network Cartography: A Comprehensive Guide to nmap
Source : Secrets of Network Cartography: A Comprehensive Guide to nmap
 TCP connect() Scan
• With connect() call used by the operating system to initiate a normal TCP connection to
a remote device (3-way handshake)
• No need of any special privileged access: Any user can use it.
• TCP connect scan is often logged by target host service.

• Closed Port:
• Like the TCP
SYN scan

• Open Port:
• completes the TCP
3W-Handshake (3WHS).
• Then sends RST.

Source : Secrets of Network Cartography: A Comprehensive Guide to nmap 38

 Denial of Service Attack
• “Attack in which the primary goal is to deny
the victim(s) access to a particular resource.”

• A Denial of Service (DoS) attack is

characterized by an explicit attempt by
attackers to prevent legitimate users of a
service from using that service.

• Denial of Service attacks are most frequently

▪ Too many requests for a particular executed against network connectivity. The
web site “clog the pipe” so that no goal is to prevent hosts or networks from
one else can access the site [S1]. communicating on the network. An example
▪ Also the using of land attack [S1]. of this type of attack is the "SYN flood"
attack.
Source [S1]: http://www.just.edu.jo/~tawalbeh/nyit/incs745/presentations/DoS2.ppt
 Categories of DoS attack
Bandwidth Attacks
▪ A bandwidth attack is the oldest and most common DoS attack.
▪ In this approach, the malicious hacker saturates a network with data traffic.
▪ A vulnerable system or network is unable to handle the amount of traffic sent to it and
subsequently crashes or slows down, preventing legitimate access to users.
Protocol Exceptions
▪ A protocol attack is a trickier approach, but it is becoming quite popular. Here, the
malicious attacker sends traffic in a way that the target system never expected, such as
when an attacker sends a flood of SYN packets.
Logic Attacks
▪ The third type of attack is a logic attack. This is the most advanced type of attack
because it involves a sophisticated understanding of networking. A classic example of a
logic attack is a LAND attack, where an attacker sends a forged packet with the same
source and destination IP address. Many systems are unable to handle this type of
confused activity and subsequently crash
Source: http://www.just.edu.jo/~tawalbeh/nyit/incs745/presentations/DoS2.ppt
 PING OF DEATH
A Ping OF Death attack uses Internet Control Message Protocol (ICMP) ping messages.
Ping is used to see if a host is active on a network. It also is a valuable tool for
troubleshooting and diagnosing problems on a network. As the following picture, a
normal ping has two messages:

Source: http://www.just.edu.jo/~tawalbeh/nyit/incs745/presentations/DoS2.ppt
 •“ping” sends the data packets to the victim
PING OF DEATH •“10.128.131.108” is the IP address of the victim
•“-t” means the data packets should be sent until the program is stopped
•“-l” specifies the data load to be sent to the victim
You will get results similar to the ones shown below
ping 10.128.131.108 –t |65500

If you want to see the effects of the attack on the target computer,
you can open the task manager and view the network activities.
•Right click on the taskbar
•Select start task manager
•Click on the network tab
•You will get results similar to the following Source: https://www.guru99.com/ultimate-guide-to-dos-attacks.html
 Smurf Attack
▪ A Smurf attack is another DoS attack that uses ICMP. In this, a request is sent to a
network broadcast address with the target as the spoofed source. When hosts
receive the echo request, they send an echo reply back to the target. sending
multiple Smurf attacks directed at a single target in a distributed fashion might
succeed in crashing it.

▪ A smurf attack is historically one of the oldest techniques to perform a Distributed

Denial of Service (DDoS) amplification attack. This attack consists of sending a
series of ICMP echo requests, with a spoofed source IP address to the network
broadcast address. When this echo request is broadcast, all hosts on the LAN
should simultaneously reply to the target for each spoofed request received. This
technique is less effective against modern systems, as most will not reply to IP-
directed broadcast traffic.
 Smurf Attack Contd.

• In this attack, Spoofed IP packets containing ICMP Echo-Request with a source

address equal to that of the attacked system and a broadcast destination address are
sent to the intermediate network.

• Sending a ICMP Echo Request to a broadcast address triggers all hosts included in
the network to respond with an ICMP response packet, thus creating a large mass
of packets which are routed to the victim's spoofed address.
 Hacking Activity: Launch a DoS attack
Nemesy is used to generate data packets and flood the target computer, router or server.

• Download Nemesy from http://packetstormsecurity.com/files/25599/nemesy13.zip.html

• Unzip it and run the program Nemesy.exe
• You will get the interface, Enter the target IP address, set “0” as the infinite number of packets.
The size field specifies the data bytes to be sent and the delay specifies the time interval in
milliseconds.
The following are some of the tools that can be used to perform DoS attacks.
▪ Nemesy– this tool can be used to generate random packets. It works on windows. This tool can be
downloaded from http://packetstormsecurity.com/files/25599/nemesy13.zip.html . Due to the
nature of the program, if you have an antivirus, it will most likely be detected as a virus.
▪ Land and LaTierra– This tool can be used for IP Spoofing and opening TCP connections.
▪ Blast–this tool can be downloaded from http://www.opencomm.co.uk/products/blast/features.php
▪ Panther- this tool can be used to flood a victim’s network with UDP packets.
▪ Botnets– these are multitudes of compromised computers on the Internet that can be used to
perform a Distributed Denial of Service (DDoS) attack.
Source: https://www.guru99.com/ultimate-guide-to-dos-attacks.html
 Low Orbit Ion Cannon (LOIC)
• The Low Orbit Ion Cannon (LOIC) is a tool commonly used to launch DoS and DDoS attacks. It
was originally developed by Praetox Technology as a network stress-testing application, but it has
since become open-source and is now mostly used with malicious intent [S2].
• It works by flooding a target server with TCP, UDP, or HTTP packets with the goal of disrupting
service[S2].
• UDP Attack: To perform the UDP attack, select the method of attack as UDP. It has port 80 as
the default option selected, but you can change this according to your need. Change the
message string or leave it as the default.
• TCP Attack: This method is similar to UDP attack. Select the type of attack as TCP to use this.
• HTTP Attack: In this attack, the tool sends HTTP requests to the target server. A web application
firewall can detect this type of attack easily.

Source[S2]: https://www.cloudflare.com/learning/ddos/ddos-attack-tools/low-orbit-ion-cannon-loic/
 How to Launch DoS Attack by using LOIC

Follow these simple steps to enact a DOS attack against a website (but do so at your
own risk).
Step 1: Run the tool.

Step 2: Enter the URL of the website in The URL field and click on Lock O.
Then, select attack method (TCP, UDP or HTTP). These options are
necessary to start the attack.

Step 3: Change other parameters per your choice or leave it to the default.
Click on the Big Button. Attack is mounted on the target.
 Firewalls
• What is a Firewall?
• A hardware device, a software package, or a combination of both
• A barrier between the Internet and an edge network (internal network)
• A mechanism to filter Incoming (ingress) and outgoing (egress) packets.
• May be hardware and/or software
• Hardware is faster but can be difficult to update
• Software is slower but easier to update

A Firewall is any device that prevents a specific types of information from

moving between the outside world (untrusted network) and the inside world
(trusted network).
The Firewall may be
• a separate computer system
• a service running on an existing router or server
• a separate network containing a number of supporting devices
 Firewalls Categorized by Processing Modes
Firewall can be categorized by processing mode, development era or structure.

There are five major processing mode categories of firewall: Packet Filtering Firewall,
Application Gateways, Circuit Gateway, MAC layer Gateways and Hybrid Firewalls.

Source: Principles and Practices of Information Security by Michael E.Whitman

 Packet Filtering Firewall Rule Conjuration
Firewall device is never accessible directly from the public network. If attacker can directly access the
firewall , they may be able to modify or delete rules and allow unwanted traffic through.

Source Address Port Destination Address Port Action

Any Any 10.10.10.1 Any Deny
Any Any 10.10.10.2 Any Deny
10.10.10.1 Any Any Any Deny
10.10.10.2 Any Any Any Deny

Source: Principles and Practices of

Information Security by Michael
E.Whitman
Thanks