What technique can overwhelm the content addressable memory tables on layer 2 switches

Arraya Insights | December 20, 2016

Effective cybersecurity requires a team of systems to pull together, and just like with any team, this one is only as strong as its weakest link. In many networks, that weakest link is Layer 2 of the

The thing is, many organizations already have features in place to mitigate some of the more common attacks levied at Layer 2. These features come standard in certain Cisco switches, they just need to be turned on. Despite that, we still see organizations falling victim to these attacks.

Why? In some cases, organizations simply may not know about the features. Others may have overestimated the time and effort required to activate them.

Securing Layer 2 against common attack types

In truth, there’s no reason to overlook these features. The risk to businesses is far too great. Let’s take you through four common Layer 2 attacks and outline what a business can do to stay safe.

MAC Attacks

Anatomy of an Attack: During a MAC attack, a switch’s Content Addressable Memory (CAM) table is targeted. These tables store data such as the MAC addresses available on a port and their associated VLAN parameters. CAM tables have a fixed size, meaning they can only house so much information. Attackers attempt to exploit this during a MAC attack by flooding the CAM with random source MAC and IP addresses. Once the CAM table on a switch reaches its limit, traffic floods out to adjacent switches, filling their CAM tables as well and continuing to overload the network.

Countermeasures: Admins can use switch port security limits to restrict the amount of MACs on an interface. This allows them to set a cap on the number of MAC addresses a port can learn. That cap is up to the admin, provided it won’t overflow the CAM table. Timers can be placed on how long a MAC address will be bound to a port. If a port comes across a MAC address that falls outside of its accepted parameters, it will ignore it. The port will then lock itself down and send out an alert about the malicious traffic.

VLAN Hopping

Anatomy of an Attack: A VLAN Hopping attack takes place in instances where there are multiple VLANs going over one trunk port. The attack itself can occur in one of two ways. The first involves an end station acting as a switch and as a member of multiple VLANs, as opposed to one like a typical access port. This gives it access to all data crossing the VLANs. In the second type, called a Double 802.1Q Encapsulation attack, a second and fraudulent tag is placed on a packet, identifying it as destined for a VLAN other than the one it was meant to be on. This allows it to monitor and interact with the traffic offering on that second VLAN as well as the one it’s supposed to be on.

Countermeasures: There are a number of countermeasures that can be taken at the switch level to prevent the attacks that fall under the designation of VLAN Hopping. For example, admins could require the use of a dedicated VLAN ID for all trunk ports. They could also disable unused ports and house them in an unused VLAN. Disabling auto-trunking on user-facing ports – turning DTP off – can also help.

DHCP Attacks

Anatomy of an Attack: DHCP attacks are a version of a man-in-the-middle attack where a server is set up to act as an intermediary between a client and a DHCP Server. This intermediary could be either a legitimate server that simply has yet to be approved or it could be a rogue server set up by malicious outsiders to intercept sensitive data. In order to keep the ruse going for as long as possible, the rogue server would pass data along to its intended destination after intercepting it.

Countermeasures: Stopping DHCP attacks involving a rogue man-in-the-middle server requires an approach known as “DHCP snooping.” This feature separates requests into two groups: trusted and untrusted sources. Trusted sources are located behind your firewall, including things like your own switches, routers, and servers. Untrusted sources are located outside of that firewall and can include things such as unknown DHCP servers or anything else that could be used by cybercriminals to launch an attack. Requests from untrusted sources are filtered out and that information is stored in a database. Should a request come in from that source again, DHCP snooping will know exactly how to handle it.

Spoofing Attacks

Anatomy of an Attack: Spoofing attacks are just what they sound like: attackers try to act like something they’re not in order to carry out their malicious activities. Spoofing attacks are commonly directed at either MACs or at IPs. Cybercriminals target MACs with a spoofing attack in order to gain network access or to take over the identity of someone already on the network. Meanwhile, IP-targeting spoofing attacks can be used to launch a flood of fraudulent traffic at a switch in an effort to overwhelm it and take it offline.         

Countermeasures: The method for defending against attempts at MAC or IP spoofing is called IP Source Guard. This feature can be activated to monitor for both MAC and IP spoofing, or one or the other. For IP Spoofing, Source Guard will use information contained within the DHCP snooping database to quickly identify known threats, so that feature must already be turned on for this to work. For MAC spoofing, Source Guard must have access to an Option 82-enabled DHCP server, one which router configurations have been altered to support. Once activated, this feature can sniff out IP/MAC spoofing attacks.

Gain a partner in the fight against cyber crime

Want to learn more about these attacks or others which target Layer 2? Arraya’s Network and Security team stands ready to help. Our engineers have decades of experience building, supporting, and securing networks for businesses in all industries. They can walk you through these attacks in more detail and help you gain access to the features and tools you need to ensure your business’ data stays safe.

Start a conversation today by visiting: http://www.arrayasolutions.com/contact-us/. Our team can also be reached through social media: Twitter, LinkedIn, and Facebook. While you’re there, click the Follow button so you can stay in the loop with all of our latest blogs, special events, and industry insights.

Tags: catalyst, Cisco, connectivity, Cyber-Security, data security, information technology security, IT Security, layer 2, Networking, switches, VLAN