Musings

Book Reviews

Here we are gathering book reviews on information and network security, management, and leadership.

Book Review: Crimeware, by Jakobsson and Ramzan - July 12th, 2008
Book Review: Dreams from My Father, by Barack Obama - February 4th, 2008
Book Review: LAN Switch Security:What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen - January 11th, 2008
Book Review: Made to Stick: Why Some Ideas Survive and Others Die, by Chip Heath and Dan Heath - January 2nd, 2008
Book Review: Geekonomics, by David Rice - December 27th, 2007
Book Review: End-to-End Network Security, by Omar Santos - December 6th, 2007
Book alert, Behind the Screen: Hacking Hollywood, by Mark Stone - November 27th, 2007
Book Review: Linksys WRT54G Ultimate Hacking, by Paul Asadoorian and Larry Pesce; Raul Siles Technical Editor - October 31st, 2007
Book Review: The Black Swan: The Impact of the HIGHLY IMPROBABLE, by Nassim Nicholas Taleb - October 27th, 2007
The Best Security Books to have in your library - October 25th, 2007
Book Review: The Age of Speed, by Vince Poscente - October 2nd, 2007
Book Review: Virtual Honeypots by Niels Provos and Thorsten Holz - August 21st, 2007
Book Review: Seduced by Success by Robert J. Herbold - June 26th, 2007
Book Review: Selling Blue Elephants, by Moskowitz and Gofman - June 25th, 2007
Book Review of Snow Crash leads to Second Life - April 18th, 2007
Book Review: Miracle in the Andes, by Nando Parrado and Vince Rause - February 20th, 2007
Book Review - Information Security Law: Control of Digital Assets - February 19th, 2007
Book Review - Cisco Network Admission Control - January 1st, 2007
Book Review: The Art of Software Security Assessment - December 19th, 2006

Book Review: LAN Switch Security:What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen

January 11th, 2008
By Stephen Northcutt



Just finished reading a great book, LAN Switch Security: What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen. After reading it you will never think about layer 2 the same way again. We quickly learn that, from a security perspective, a switch is neither a mindless toaster nor an insignificant appliance. Layer 2 switch attacks include:

MAC flooding attacks exploit the switch bridging table. We also learn about the capacity of the bridging table. "Switches have a finite amount of memory. This varies from switch to switch, but essentially all switches have a limit to the maximum number of MAC addresses they can record in their ARP tables. Under normal circumstances this number is many times greater then the number of ports on the switch, and therefore is seldom a concern. Someone trying to overcome the Layer-2 issue may utilize this limitation to his advantage. By generated a large number of MAC addresses and force-feeding them to the switch, a buffer overflow type condition will be created. During this period the switch cannot keep up with maintaining an ARP table and forwarding packets correctly. Most switches will then fail back to a Layer-1 mode."[1] By layer 1, we mean acting like media (ethernet cable) - this is called a flood condition. If we are told a switch's bridging table can store up to 64,000 entries that is total for the entire switch. So, one malicious user in one VLAN could use software to fill the bridging table and impact the other VLANs. If you can fill the bridging table, the switch will have to "flood" all traffic. This means that an attacker with a sniffer in VLAN 2 could then see all activity from VLAN 4 (or any other VLAN). There is an attack tool called macof[2] that makes filling the table easy to do.

Spanning Tree Protocol "creates a spanning tree within a mesh network of connected layer-2 bridges (typically ethernet switches), and disables the links which are not part of that tree, leaving a single active path between any two network nodes. Multiple active paths between network nodes causes a bridge loop. Bridge loops create several problems. First, the MAC address table (also known as "switch forwarding table") used by the switch or bridge can fail, since the same MAC addresses (and hence the same network hosts) are seen on multiple ports. Second, a broadcast storm occurs. This is caused by broadcast packets being forwarded in an endless loop between switches. A broadcast storm can consume all available CPU resources and bandwidth."[3] A vulnerable point sor STP is to attack the Bridge Protocol Data Units (BPDU). STP uses path cost to build a tree without loops ( loops would mess up communication as frames would go round in circles). An attack tool called Yersinia can read and write BPDUs and can be used for a number of attacks against a network using STP.

Dynamic Host Configuration Protocol is probably what your desktop or laptop uses to get its IP address and MAC address. DHCP Scope Exhaustion is the state where a malicious client acquires all of the available IP addresses. At SANS conferences, the class I write and teach, Management 512, Security Leadership Essentials, uses a wireless connection so the computer security managers in the class can look things up using Google (and learn power Google search techniques) as well as bookmark references that other students mention in class. We usually use a Linksys wireless access point. Sometimes, if the hotel does not supply wireless, students sit outside of my class using our access point to surf the web. If too many students do that, and they also come and go between breaks and lunch, they can exhaust the available IP addresses. Then no more students can get onto the network. We can fix it easily by powering the access point on and off. However, this is conceptually what you see with a Scope Exhaustion attack. Tools like Yersinia and also The Gobber make this very easy.

Other potential attacks against layer 2 switches include, ARP, IPv6 discovery, Power over Ethernet, HSRP, more esoteric protocols and Denial of Service.

----
Links valid as of January 10, 2008
1. http://www.giac.org/certified_professionals/practicals/gsec/0112.php
2. http://www.informit.com/articles/article.aspx?p=29750&seqNum=3&rl=1
3. http://en.wikipedia.org/wiki/Spanning_tree_protocol
4. http://linux.die.net/man/8/yersinia
5. http://www.networkpenetration.com/gobbler.html