Ataque CAM Table overflow o MAC Flooding


Un conmutador o switch es un dispositivo que opera en la capa de enlace de datos del modelo OSI.

Su función es interconectar dos o más segmentos de red, de manera similar a los puentes de red, pasando datos de un segmento a otro de acuerdo con la dirección MAC de destino de las tramas en la red.

Los conmutadores o switches tiene una tabla que se llama CAM, donde almacenan las MAC origen y la asocia al puerto por donde las aprendió. Esta tabla tiene un limite de entradas que puede ser sobrepasado provocando problemas en el equipo y en el sistema de red.




El ataque del que vamos a hablar hoy explota una limitación hardware de los conmutadores.

Este ataque consiste en inundar con direcciones MAC falsa la CAM hasta sobrepasar su almacenamiento y así conseguir que el conmutador se comporte como un hub e inunde todos los puertos del conmutador con tráfico.

Este tipo de trafico se realiza para poder capturar trafico de la red o incluso llegar a tirar el sistema de red de una empresa.

Para parar este tipo de ataque podremos segurizar los puertos a nivel 2 de los conmutadores, a continuación muestro el procedimiento de cómo activar esta seguridad en algunos de los fabricantes más importantes.

Cisco IOS Mitigation

switch(config-if)# switchport mode access
!Set the interface mode as access!
switch(config-if)# switchport port-security
!Enable port-security on the interface!
switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }
!Enable port security on the MAC address as H.H.H or record the first MAC address connected to the interface!
switch(config-if)# switchport port-security maximum <max_addresses>
!Set maximum number of MAC addresses on the port!
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }
!Protect, Restrict or Shutdown the port. Cisco recommends the shutdown option!

[edit] CatOS Mitigation

Console> (enable) set port security mod/port enable
!Enables port security or unicast flood!
Console> (enable) set port security mod/port <mac_address>
!Secures MAC address of the enabled port!
Console> (enable) set port security mod/port maximum <max_addresses>
!Maximum number of MAC addresses to secure on the port; valid values are from 1 to 1025!
Console> (enable) set port security mod/port violation { shutdown | restrict }
!Action to be taken in the event of a security violation!
Console> (enable) set port security mod/port age <age>
!Duration for which addresses on the port will be secured; valid values are 0 (to disable) and from 1 to 1440 (minutes)!
Console> (enable) set port security mod/port shutdown <shutdown_time>
!Sets the amount of time to shutdown the port for!

!NOTE: mod/port = Number of the module and the port on the module!

[edit] Juniper Mitigation

root@switch# set interface { <interface> | all } mac-limit <limit> action { none | drop | log | shutdown }
# Set the maximum number of MAC addresses allowed to connect to the interface
root@switch# set interface { <interface> | all } allowed-mac <mac_address>
# Set the allowed MAC address(es) allowed to connect to the interface

[edit] HP Mitigation

(config)# port security
!Enters the port security configuration mode!
(config-port-security)# enable
!Globally enables port security!
(config-port-security)# age <age>
!Sets the age out timer of the secure MAC address. <age> = number of minutes!
(config-port-security)# autosave <mins>
!Automatically saves the secure MAC addresses to the startup-config file every <mins> minutes!
!
(config)# int <interface>
!Enters the interface configuration mode!
(config-if-<interface>)# port security
!Enters port security configuration mode on interface!
(config-if-port-security-<interface>)# enable
!Enables port security on interface!
(config-if-port-security-<interface>)# maximum <max>
!Sets the maximum number of secure MAC addresses for the interface!
(config-if-port-security-<interface>)# age <age>
!Sets the age out timer of the secure MAC address associated with interface. <age> = number of minutes!
(config-if-port-security-<interface>)# secure <mac_address>
!Manually specifies secure MAC address authorised by the switch port!
(config-if-port-security-<interface>)# violation { restrict | shutdown <time> }
!If violation occurs: restrict = drops packets from violating address, shutdown = shutdown the port for <time> minutes!

[edit] Netgear Mitigation

(Config)# interface <interface>
!Enter the interface configuration mode for <interface>!
(Interface <interface>)# port-security
!Enables port-security on the interface!
(Interface <interface>)# port-security max-dynamic <maxvalue>
!Sets the maximum of dynamically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security max-static <maxvalue>
!Sets the maximum number of statically locked MAC addresses allowed on a specific port!
(Interface <interface>)# port-security mac-address <vid> <mac-address>
!Adds a MAC address to the list of statically locked MAC addresses. <vid> = VLAN ID!
(Interface <interface>)# port-security mac-address move
!Converts dynamically locked MAC addresses to statically locked addresses!
(Interface <interface>)# snmp-server enable traps violation
!Enables the sending of new violation traps designating when a packet with a disallowed MAC address is received on a locked port!

Muchas gracias a:

http://hakipedia.com

http://codeidol.com

http://h.ackack.net

Algunas referencias:

MAC Flooding

Dsniff

Saludos,
Israel Muñoz Ruiz
Posted by
Labels: ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)