In this modern era, organizations greatly rely on computer networks to share

Download 2,47 Mb.

Pdf ko'rish

bet	19/28
Sana	15.03.2023
Hajmi	2,47 Mb.
	#919247

1 ... 15 16 17 18 19 20 21 22 ... 28

Bog'liq
Network Security

Intrusion Detection System

Static ARP
− One of the recommended action is to employ static ARP entries
in the host ARP table. Static ARP entries are permanent entries in an ARP
cache. However, this method is impractical. Also, it does not allow the use of
some Dynamic Host Configuration Protocol (DHCP) as static IP needs to be
used for all host in the layer 2 network.

Intrusion Detection System
− The method of defense is to utilize Intrusion
Detection System (IDS) configured to detect high amounts of ARP traffic.
However, IDS is prone to reporting false positives.

Dynamic ARP Inspection
− This method of preventing ARP spoofing is similar
to DHCP snooping. It uses trusted and untrusted ports. ARP replies are
allowed into the switch interface only on trusted ports. If an ARP reply comes
to the switch on an untrusted port, the contents of the ARP reply packet is
compared to the DHCP binding table to verify its accuracy. If the ARP reply is
not valid, the ARP reply is dropped, and the port is disabled.
Securing Spanning Tree Protocol
Spanning Tree Protocol (STP) is a layer 2 link management protocol. The main
purpose of STP is to ensure that there are no data flow loops when network has
redundant paths. Generally, redundant paths are built to provide reliability to the
network. But they can form deadly loops which can lead to DoS attack in the network.
Spanning Tree Protocol
In order to provide desired path redundancy, as well as to avoid a loop condition, STP
defines a tree that spans all the switches in a network. STP forces certain redundant
data links into a blocked state and keeps other links in a forwarding state.
If a link in the forwarding state breaks down, STP reconfigures the network and
redefines data paths by activating appropriate standby path. STP runs on bridges and
switches deployed in the network. All the switches exchange information for root
switch selection and for subsequent configuration of the network. Bridge Protocol
Data Units (BPDUs) carry this information. Through exchange of BPDUs, all the
switches in the network elect a root bridge/switch that becomes the focal point in the
network and controls the blocked and forwarded links.

Attacks on STP

Taking Over the Root Bridge. It is one of the most disruptive type of attack at
layer 2. By default, a LAN switch takes any BPDU sent from neighboring switch
at face value. Incidentally, STP is trustful, stateless, and does not provide any
sound authentication mechanism.

Once in root attack mode, the attacking switch sends a BPDU every 2 sec with
the same priority as the current root bridge, but with a slightly numerically lower
MAC address, which ensures its victory in the root-bridge election process.
The attacker switch can launch DoS attack either by not properly
acknowledging other switches causing BPDU flooding or by subjecting
switches to over-process BPDUS by claiming to be root at one time and
retracting in quick succession.

DoS using Flood of Configuration BPDU. The attacking switch does not attempt
to take over as root. Instead, it generates large number of BPDUs per second
leading to very high CPU utilization on the switches.
Preventing Attacks on STP
Fortunately, the countermeasure to a root takeover attack is simple and
straightforward. Two features help in defeating a root takeover attack.


Download 2,47 Mb.

Do'stlaringiz bilan baham:

1 ... 15 16 17 18 19 20 21 22 ... 28